SSH使用Google Authenticator二次驗證

基本的原理如上圖：

客戶端在輸入code碼之后，才可以輸入服務器的密碼，進行賬戶驗證，方可進入服務器。

實現方式如下：

1. 安裝所需組件

# yum -y install mercurial pam-devel

2.  安裝qrencode，在Linux上，有一個名為 QrenCode 的命令行工具可以很容易幫我們生成二維碼，google authenticator命令行生成二維碼就是調用它。

# wgethttp://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz

# tar zxfqrencode-3.3.1.tar.gz

# cdqrencode-3.3.1

# ./configure--prefix=/usr && make && make install

3. 安裝GoogleAuthenticator

# wget --no-check-certificate https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

# tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
# cd libpam-google-authenticator-1.0
# make && make install

4. SSH登錄時調用google-authenticator模塊

vim /etc/pam.d/sshd
在第一行添加如下：

auth       required    pam_google_authenticator.so

vim /etc/ssh/sshd_config

ChallengeResponseAuthenticationyes #開啟此行

UsePAM yes #添加此行

Service sshd restart

5. 生成google-authenticator配置

google-authenticator

Do youwant authentication tokens to be time-based (y/n) y

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@node3.mengtao.com%3Fsecret%3DABEXG5K6CVB56BXY

#此網址為生成的二維碼，客戶端掃描

Your newsecret key is:node3.mengtao.com

Yourverification code is 582849

Youremergency scratch codes are:

  30776626

  14200155

  80795568

  23936997

  21919909

#上面幾行數字為應急碼

Do youwant me to update your "/root/.google_authenticator" file (y/n) y

#更新配置文件

Do youwant to disallow multiple uses of the same authentication

token?This restricts you to one login about every 30s, but it increases

yourchances to notice or even prevent man-in-the-middle attacks (y/n) y

#禁止一個口令多用

Bydefault, tokens are good for 30 seconds and in order to compensate for

possibletime-skew between the client and the server, we allow an extra

tokenbefore and after the current time. If you experience problems with poor

timesynchronization, you can increase the window from its default

size of1:30min to about 4min. Do you want to do so (y/n) n

#客戶端與服務器時間誤差

If thecomputer that you are logging into isn't hardened against brute-force

loginattempts, you can enable rate-limiting for the authentication module.

Bydefault, this limits attackers to no more than 3 login attempts every 30s.

Do youwant to enable rate-limiting (y/n) y

#次數限制

在設備上輸入序列碼和掃描二維碼都可以

6. 登錄驗證