Google Authenticator(谷歌身份验证器),是谷歌公司推出的一款动态令牌工具,解决账户使用时遭到的一些不安全的操作进行的“二次验证”,认证器基于RFC文档中的HOTP/TOTP算法实现 ,是一种从共享秘钥和时间或次数一次性令牌的算法。在实际应用中可以通过认证器方式对账户有更好的保护
下面在CentOS7下利用Google Authenticator实现SSH登录的二次身份验证
1、配置EPEL源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum makecache
2、安装Google Authenticator
yum install google-authenticator -y
3、安装Google Authenticator
useradd yuanfan passwd yuanfan su - yuanfan google-authenticator Your new secret key is: G5RR2IJG2X74MI4ADW622R6PUA #如果在手机的谷歌身份验证器上不想通过"扫描条形码"的方式添加,就输入这个key,通过"手动输入验证码的方式" Your verification code is 906194 Your emergency scratch codes are: #下面会生成5个紧急验证码(当无法获取动态验证码或验证码不能使用时可以使用这5个), #需要注意的是:这5个验证码用一个就会少一个!请保存好! 45731126 22009120 27836115 94685459 48945214 Do you want me to update your "/home/yuanfan/.google_authenticator" file? (y/n) y #提示是否要更新验证文件,选择y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y # 禁止使用相同口令 By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y #默认动态验证码在30秒内有效,由于客户端和服务器可能会存在时间差,可将时间增加到最长4分钟,是否要这么做:这里选择y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y #是否限制尝试次数,每30秒只能尝试最多3次,这里选择y进行限制
4、修改SSH登录相关配置文件参数
如下行添加如下参数
vim /etc/pam.d/sshd (如下位置增加下面一行) auth required pam_google_authenticator.so vim /etc/ssh/sshd_config 将ChallengeResponseAuthentication修改为yes ChallengeResponseAuthentication yes service sshd restart
5、手机下载google身份验证器
以安卓手机为例 扫描QR码方式来进行绑定
6、登录验证测试
ssh yuanfan@localhost
然后输入手机google身份验证器生成的动态验证码(每30秒更新一次)
SecureCRT登录时,将Keyboard Interactive登录方式调整为第一个位置
注意,如果没有用root用户进行第三步的操作,需要先其它用户登录后su root切换到root
