一看必會系列:ubuntu SSH登錄使用google進行雙因子認證 2018

來源:本站原創 Linux 超過482 views圍觀 0條評論

 

[email protected]:~# sudo apt-get install libpam-google-authenticator

Do you want to continue? [Y/n] y
Get:1 http://mirrors.aliyun.com/ubuntu bionic/universe amd64 libqrencode3 amd64 3.4.4-1build1 [23.9 kB]
Get:2 http://mirrors.aliyun.com/ubuntu bionic/universe amd64 libpam-google-authenticator amd64 20170702-1 [32.9 kB]
Fetched 56.8 kB in 0s (430 kB/s)                 
Selecting previously unselected package libqrencode3:amd64.
(Reading database … 102265 files and directories currently installed.)
Preparing to unpack …/libqrencode3_3.4.4-1build1_amd64.deb …
Unpacking libqrencode3:amd64 (3.4.4-1build1) …
Selecting previously unselected package libpam-google-authenticator.
Preparing to unpack …/libpam-google-authenticator_20170702-1_amd64.deb …
Unpacking libpam-google-authenticator (20170702-1) …
Setting up libqrencode3:amd64 (3.4.4-1build1) …
Processing triggers for libc-bin (2.27-3ubuntu1) …
Processing triggers for man-db (2.8.3-2) …
Setting up libpam-google-authenticator (20170702-1) …

[email protected]:~# su – jeff
[email protected]:~$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200×200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DJF5FZ4MT2IGNQC3U34WX7WE6PM%26

Your new secret key is: JF5FZ4MT2IGNQC3U34WX7WE6PM
Your verification code is 297693
Your emergency scratch codes are:
  11697012
  40723876
  64439558
  65084821
  45378293

Do you want me to update your "/home/jeff/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
[email protected]:~$ exit

三、配置ssh服務調用google authenticator PAM插件

vim /etc/pam.d/sshd      
#在第一行加入
auth required pam_google_authenticator.so

vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes          #修改no為yes
# Change to no to disable s/key passwords

配置完成 

重啟ssh 服務
systemctl restart sshd

4生成 二維碼及密鑰

機制上是對每個用戶生成不同的密鑰,所以要生成時進入對應的帳號下面運行
[[email protected] ~]$ google-authenticator

以下是過程
Your new secret key is:     #如果在手機的谷歌身份驗證器上不想通過"掃描條形碼"的方式添加,就輸入這個key,通過"手動輸入驗證碼的方式"。賬號就是服務器主機名。
Your verification code is
Your emergency scratch codes are:      #下面會生成5個緊急驗證碼(當無法獲取動態驗證碼或驗證碼不能使用使用可以使用這5個)
                                             #需要注意的是:這5個驗證碼用一個就會少一個!請保存好!

Do you want me to update your "/root/.google_authenticator" file (y/n) y       #提示是否要更新驗證文件,選擇y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y    #禁止使用相同口令

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n          #默認動態驗證碼在30秒內有效,由于客戶端和服務器可能會存在時間差,可將時間增加到最長4分鐘,是否要這么做:這里選擇是n,繼續默認30秒

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y        #是否限制嘗試次數,每30秒只能嘗試最多3次,這里選擇y進行限制

5安裝手機端
手機端安裝  google_authenticator

點擊掃描條行碼

掃描后系統會自行添加相應驗證信息

6 登陸
[[email protected] ~]# ssh [email protected]
Verification code:   先輸入手機驗證碼
Password:            財輸入帳號對應的密碼
Last login: Mon Jul 16 20:56:14 2018
[[email protected] ~]$

結束

—-排錯 無法彈出 驗證碼
Last login: Mon Jul 16 19:57:02 2018 from 192.168.142.1
[[email protected] ~]# tail -f /var/log/secure
Jul 16 20:36:02 h133 sshd[15702]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
Jul 16 20:36:02 h133 sshd[15704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.142.130  user=root
Jul 16 20:36:02 h133 sshd[15704]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 16 20:36:04 h133 sshd[15702]: error: PAM: Module is unknown for root from 192.168.142.130
Jul 16 20:38:13 h133 sshd[15815]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
Jul 16 20:38:13 h133 sshd[15815]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
Jul 16 20:38:17 h133 sshd[15817]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 16 20:38:20 h133 sshd[15815]: error: PAM: Module is unknown for root from 192.168.142.1
Jul 16 20:38:23 h133 sshd[15815]: error: Received disconnect from 192.168.142.1 port 40414:0:  [preauth]
Jul 16 20:38:23 h133 sshd[15815]: Disconnected from 192.168.142.1 port 40414 [preauth]

報錯內容, UID 小于1000的不予進行驗證
PAM 相關模塊策略配置,禁止了 UID 小于 1000 的用戶進行登錄。

或償式修改/etc/pam.d/sshd
auth        required      pam_succeed_if.so uid <= 1000      # 修改策略

——–排錯

[[email protected] google-authenticator-libpam]# ./bootstrap.sh
./bootstrap.sh: line 15: exec: autoreconf: not found

是在不同版本的 tslib 下執行 autogen.sh 產生。它們產生的原因一樣,是
因為沒有安裝automake 工具,      (ubuntu 10.04)用下面的命令安裝好就可以了。
sudo apt-get install autoconf automake libtool
yum install -y  autoconf automake libtool

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=3848轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
  • 相關文章
  • 為您推薦
  • 各種觀點
?
?
萌宠夺宝游戏