linux SSH登录使用google Authenticator进行双因子认证

来源:本站原创 Linux 超过115 views围观 0条评论

 

一、关闭SELINUX

二、安装编辑工具包

yum install wget gcc make pam-devel libpng-devel autoconf automake libtool git -y

安装
https://github.com/google/google-authenticator-libpam

git clone https://github.com/google/google-authenticator-libpam.git

./bootstrap.sh
./configure
make
sudo make install

cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

三、配置ssh服务调用google authenticator PAM插件

vim /etc/pam.d/sshd      
#在第一行(即auth       required pam_sepermit.so的下一行)增加以下代码   
auth required pam_google_authenticator.so

vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes         #修改no为yes
# Change to no to disable s/key passwords

配置完成 

重启ssh 服务
systemctl restart sshd

4生成 二维码及密钥

机制上是对每个用户生成不同的密钥,所以要生成时进入对应的帐号下面运行
[jeff1@h133 ~]$ google-authenticator

以下是过程
Your new secret key is:     #如果在手机的谷歌身份验证器上不想通过"扫描条形码"的方式添加,就输入这个key,通过"手动输入验证码的方式"。账号就是服务器主机名。
Your verification code is
Your emergency scratch codes are:      #下面会生成5个紧急验证码(当无法获取动态验证码或验证码不能使用使用可以使用这5个)
                                             #需要注意的是:这5个验证码用一个就会少一个!请保存好!

Do you want me to update your "/root/.google_authenticator" file (y/n) y       #提示是否要更新验证文件,选择y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y    #禁止使用相同口令

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n          #默认动态验证码在30秒内有效,由于客户端和服务器可能会存在时间差,可将时间增加到最长4分钟,是否要这么做:这里选择是n,继续默认30秒

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y        #是否限制尝试次数,每30秒只能尝试最多3次,这里选择y进行限制

5安装手机端
手机端安装  google_authenticator

点击扫描条行码

扫描后系统会自行添加相应验证信息

6 登陆
[root@h130 ~]# ssh jeff1@192.168.142.133
Verification code:   先输入手机验证码
Password:            财输入帐号对应的密码
Last login: Mon Jul 16 20:56:14 2018
[jeff1@h133 ~]$

结束

—-排错 无法弹出 验证码
Last login: Mon Jul 16 19:57:02 2018 from 192.168.142.1
[root@h133 ~]# tail -f /var/log/secure
Jul 16 20:36:02 h133 sshd[15702]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
Jul 16 20:36:02 h133 sshd[15704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.142.130  user=root
Jul 16 20:36:02 h133 sshd[15704]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 16 20:36:04 h133 sshd[15702]: error: PAM: Module is unknown for root from 192.168.142.130
Jul 16 20:38:13 h133 sshd[15815]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
Jul 16 20:38:13 h133 sshd[15815]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
Jul 16 20:38:17 h133 sshd[15817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 16 20:38:20 h133 sshd[15815]: error: PAM: Module is unknown for root from 192.168.142.1
Jul 16 20:38:23 h133 sshd[15815]: error: Received disconnect from 192.168.142.1 port 40414:0:  [preauth]
Jul 16 20:38:23 h133 sshd[15815]: Disconnected from 192.168.142.1 port 40414 [preauth]

报错内容, UID 小于1000的不予进行验证
PAM 相关模块策略配置,禁止了 UID 小于 1000 的用户进行登录。

或偿式修改/etc/pam.d/sshd
auth        required      pam_succeed_if.so uid <= 1000      # 修改策略

——–排错

[root@h133 google-authenticator-libpam]# ./bootstrap.sh
./bootstrap.sh: line 15: exec: autoreconf: not found

是在不同版本的 tslib 下执行 autogen.sh 产生。它们产生的原因一样,是
因为没有安装automake 工具,      (ubuntu 10.04)用下面的命令安装好就可以了。
sudo apt-get install autoconf automake libtool
yum install -y  autoconf automake libtool

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=3844转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
  • 相关文章
  • 为您推荐
  • 各种观点

暂时还木有人评论,坐等沙发!
发表评论

快捷键:Ctrl+Enter