1. 程式人生 > >centos7系統配置系統使用者基於ssh的google身份驗證

centos7系統配置系統使用者基於ssh的google身份驗證

  最近也是伺服器各種被入侵,所以在安全上,要萬分注意,特此記錄,藉助google的身份驗證外掛,獲取動態驗證碼完成ssh登陸。

 OS:

  centos7

安裝配置:

  1、 安裝epel源

yum -y install epel-release

  2、 安裝Qrencode,谷歌身份驗證器通過該程式生成二維碼

yum install -y qrencode

  3、安裝谷歌身份驗證器,編譯安裝

git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/./bootstrap.sh./configure –prefix=/usr/local/google-authenticatormake && make install

  4、拷貝google的身份驗證器pam模組到系統下

cp /usr/local/google-authenticator/lib/security/pam_google_authenticator.so /lib64/security/

  5、配置sshd的pam認證,寫在auth  include  password-auth 基於密碼認證的上面一行,先基於google驗證碼認證

auth       required     pam_google_authenticator.so

  6、修改ssh服務配置

ChallengeResponseAuthentication yes

  7、 重啟ssh服務

systemctl  restart sshd

  8、進入剛才克隆下來的 google-authenticator-libpam 目錄,執行

./google-authenticator    #基於當前使用者做驗證,如果切換別的系統使用者,請登陸其他使用者,執行此命令即可
Do you want authentication tokens to be time-based (y/n) y  #輸入y, 提示是否基於時間的認證

接下來會生成一張二維碼圖片:  手機上下載身份驗證器app軟體,掃描此二維碼

Your new secret key is:  JS57SLVUDEEA7SQ7LD6BEBWGAA   #此安全key需要備份,用於後續更換手機或者二維碼丟失,瀏覽器的身份驗證丟失後,通過此安全key獲取新的驗證嗎

Your verification code is 005421   #掃描上述二維碼後,檢視驗證嗎,輸入
Your emergency scratch codes are:
# 以下驗證嗎,是後續備用的,只能驗證一次
45412365
21522365
85124632
85124631
14785216

Do you want me to update your “/root/.google_authenticator” file (y/n) y
 
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)
 
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 
By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y
# 安全相關,預設繼續
 
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
# 安全相關,預設繼續

 9、xshell終端配置基於google驗證登陸linux主機

xshell終端的連線方式改為:keyboard Interactive

二次驗證碼輸入:

輸入系統密碼:

  以上就是基於google身份驗證的ssh登陸。