centos7系统配置系统用户基于ssh的google身份验证
最近也是服务器各种被入侵,所以在安全上,要万分注意,特此记录,借助google的身份验证插件,获取动态验证码完成ssh登陆。
OS:
centos7
安装配置:
1、 安装epel源
yum -y install epel-release
2、 安装Qrencode,谷歌身份验证器通过该程序生成二维码
yum install -y qrencode
3、安装谷歌身份验证器,编译安装
git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/
./bootstrap.sh
./configure –prefix=/usr/local/google-authenticator
make && make install
4、拷贝google的身份验证器pam模块到系统下
cp /usr/local/google-authenticator/lib/security/pam_google_authenticator.so /lib64/security/
5、配置sshd的pam认证,写在auth include password-auth 基于密码认证的上面一行,先基于google验证码认证
auth required pam_google_authenticator.so
6、修改ssh服务配置
ChallengeResponseAuthentication yes
7、 重启ssh服务
systemctl restart sshd
8、进入刚才克隆下来的 google-authenticator-libpam 目录,执行
./google-authenticator #基于当前用户做验证,如果切换别的系统用户,请登陆其他用户,执行此命令即可
Do you want authentication tokens to be time-based (y/n) y #输入y, 提示是否基于时间的认证
接下来会生成一张二维码图片: 手机上下载身份验证器app软件,扫描此二维码
Your new secret key is: JS57SLVUDEEA7SQ7LD6BEBWGAA #此安全key需要备份,用于后续更换手机或者二维码丢失,浏览器的身份验证丢失后,通过此安全key获取新的验证吗 Your verification code is 005421 #扫描上述二维码后,查看验证吗,输入 Your emergency scratch codes are: # 以下验证吗,是后续备用的,只能验证一次 45412365 21522365 85124632 85124631 14785216 Do you want me to update your “/root/.google_authenticator” file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) y # 安全相关,默认继续 If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y # 安全相关,默认继续
9、xshell终端配置基于google验证登陆linux主机
xshell终端的连接方式改为:keyboard Interactive
二次验证码输入:
输入系统密码:
以上就是基于google身份验证的ssh登陆。