最近也是伺服器各種被入侵,所以在安全上,要萬分註意,特此記錄,藉助google的身份驗證插件,獲取動態驗證碼完成ssh登陸。 OS: centos7 安裝配置: 1、 安裝epel源 2、 安裝Qrencode,谷歌身份驗證器通過該程式生成二維碼 3、安裝谷歌身份驗證器,編譯安裝 4、拷貝googl ...
最近也是伺服器各種被入侵,所以在安全上,要萬分註意,特此記錄,藉助google的身份驗證插件,獲取動態驗證碼完成ssh登陸。
OS:
centos7
安裝配置:
1、 安裝epel源
yum -y install epel-release
2、 安裝Qrencode,谷歌身份驗證器通過該程式生成二維碼
yum install -y qrencode
3、安裝谷歌身份驗證器,編譯安裝
git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/
./bootstrap.sh
./configure –prefix=/usr/local/google-authenticator
make && make install
4、拷貝google的身份驗證器pam模塊到系統下
cp /usr/local/google-authenticator/lib/security/pam_google_authenticator.so /lib64/security/
5、配置sshd的pam認證,寫在auth include password-auth 基於密碼認證的上面一行,先基於google驗證碼認證
auth required pam_google_authenticator.so
6、修改ssh服務配置
ChallengeResponseAuthentication yes
7、 重啟ssh服務
systemctl restart sshd
8、進入剛纔克隆下來的 google-authenticator-libpam 目錄,執行
./google-authenticator #基於當前用戶做驗證,如果切換別的系統用戶,請登陸其他用戶,執行此命令即可
Do you want authentication tokens to be time-based (y/n) y #輸入y, 提示是否基於時間的認證
接下來會生成一張二維碼圖片: 手機上下載身份驗證器app軟體,掃描此二維碼
Your new secret key is: JS57SLVUDEEA7SQ7LD6BEBWGAA #此安全key需要備份,用於後續更換手機或者二維碼丟失,瀏覽器的身份驗證丟失後,通過此安全key獲取新的驗證嗎 Your verification code is 005421 #掃描上述二維碼後,查看驗證嗎,輸入 Your emergency scratch codes are: # 以下驗證嗎,是後續備用的,只能驗證一次 45412365 21522365 85124632 85124631 14785216 Do you want me to update your “/root/.google_authenticator” file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) y # 安全相關,預設繼續 If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y # 安全相關,預設繼續
9、xshell終端配置基於google驗證登陸linux主機
xshell終端的連接方式改為:keyboard Interactive
二次驗證碼輸入:
輸入系統密碼:
以上就是基於google身份驗證的ssh登陸。
