linux SSH登錄使用google Authenticator進行雙因子認證

來源:本站原創 Linux 超過463 views圍觀 0條評論

 

一、關閉SELINUX

二、安裝編輯工具包

yum install wget gcc make pam-devel libpng-devel autoconf automake libtool git -y

安裝
https://github.com/google/google-authenticator-libpam

git clone https://github.com/google/google-authenticator-libpam.git

./bootstrap.sh
./configure
make
sudo make install

cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

三、配置ssh服務調用google authenticator PAM插件

vim /etc/pam.d/sshd      
#在第一行(即auth       required pam_sepermit.so的下一行)增加以下代碼   
auth required pam_google_authenticator.so

vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes         #修改no為yes
# Change to no to disable s/key passwords

配置完成 

重啟ssh 服務
systemctl restart sshd

4生成 二維碼及密鑰

機制上是對每個用戶生成不同的密鑰,所以要生成時進入對應的帳號下面運行
[[email protected] ~]$ google-authenticator

以下是過程
Your new secret key is:     #如果在手機的谷歌身份驗證器上不想通過"掃描條形碼"的方式添加,就輸入這個key,通過"手動輸入驗證碼的方式"。賬號就是服務器主機名。
Your verification code is
Your emergency scratch codes are:      #下面會生成5個緊急驗證碼(當無法獲取動態驗證碼或驗證碼不能使用使用可以使用這5個)
                                             #需要注意的是:這5個驗證碼用一個就會少一個!請保存好!

Do you want me to update your "/root/.google_authenticator" file (y/n) y       #提示是否要更新驗證文件,選擇y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y    #禁止使用相同口令

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n          #默認動態驗證碼在30秒內有效,由于客戶端和服務器可能會存在時間差,可將時間增加到最長4分鐘,是否要這么做:這里選擇是n,繼續默認30秒

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y        #是否限制嘗試次數,每30秒只能嘗試最多3次,這里選擇y進行限制

5安裝手機端
手機端安裝  google_authenticator

點擊掃描條行碼

掃描后系統會自行添加相應驗證信息

6 登陸
[[email protected] ~]# ssh [email protected]
Verification code:   先輸入手機驗證碼
Password:            財輸入帳號對應的密碼
Last login: Mon Jul 16 20:56:14 2018
[[email protected] ~]$

結束

—-排錯 無法彈出 驗證碼
Last login: Mon Jul 16 19:57:02 2018 from 192.168.142.1
[[email protected] ~]# tail -f /var/log/secure
Jul 16 20:36:02 h133 sshd[15702]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
Jul 16 20:36:02 h133 sshd[15704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.142.130  user=root
Jul 16 20:36:02 h133 sshd[15704]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 16 20:36:04 h133 sshd[15702]: error: PAM: Module is unknown for root from 192.168.142.130
Jul 16 20:38:13 h133 sshd[15815]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
Jul 16 20:38:13 h133 sshd[15815]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
Jul 16 20:38:17 h133 sshd[15817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 16 20:38:20 h133 sshd[15815]: error: PAM: Module is unknown for root from 192.168.142.1
Jul 16 20:38:23 h133 sshd[15815]: error: Received disconnect from 192.168.142.1 port 40414:0:  [preauth]
Jul 16 20:38:23 h133 sshd[15815]: Disconnected from 192.168.142.1 port 40414 [preauth]

報錯內容, UID 小于1000的不予進行驗證
PAM 相關模塊策略配置,禁止了 UID 小于 1000 的用戶進行登錄。

或償式修改/etc/pam.d/sshd
auth        required      pam_succeed_if.so uid <= 1000      # 修改策略

——–排錯

[[email protected] google-authenticator-libpam]# ./bootstrap.sh
./bootstrap.sh: line 15: exec: autoreconf: not found

是在不同版本的 tslib 下執行 autogen.sh 產生。它們產生的原因一樣,是
因為沒有安裝automake 工具,      (ubuntu 10.04)用下面的命令安裝好就可以了。
sudo apt-get install autoconf automake libtool
yum install -y  autoconf automake libtool

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=3844轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
  • 相關文章
  • 為您推薦
  • 各種觀點
?
?
萌宠夺宝游戏