Google Authenticator介绍
通常我们直接通过ssh输入密码连接服务器,但这样很容易出现暴力破解情况,所以我们可以结合google的动态认证
+ssh密码,这样能够大大的提升登陆的安全。简单来说,就是当用户通过ssh登陆系统时,先输入google的随机验证
码,然后在输入服务器的ssh密码Google Authenticator介绍
GoogleAuthenticator安装部署
# 1.安装依赖
[root@web01 ~]# yum -y install pam-devel libpng-devel autoconf automake
# 2.下载Google apm插件
## 官方下载地址
[root@web01 ~]# wget https://github.com/google/google-authenticator-libpam/archive/1.04.tar.gz
# 3.解压插件
[root@web01 ~]# tar xf 1.04.tar.gz
# 4.构建代码
## 进入解压开的目录
[root@web01 ~]# cd google-authenticator-libpam-1.04/
## 执行bootstrap构建
[root@web01 google-authenticator-libpam-1.04]# ./bootstrap.sh
[root@web01 google-authenticator-libpam-1.04]# ll
total 608
-rw-r--r-- 1 root root 39614 Aug 17 20:35 aclocal.m4
drwxr-xr-x 2 root root 118 Aug 17 20:35 autom4te.cache
-rwxrwxr-x 1 root root 605 Aug 16 2017 bootstrap.sh
drwxrwxr-x 2 root root 244 Aug 17 20:35 build
-rw-r--r-- 1 root root 2736 Aug 17 20:35 config.h.in
-rwxr-xr-x 1 root root 439201 Aug 17 20:35 configure
-rw-rw-r-- 1 root root 1932 Aug 16 2017 configure.ac
drwxrwxr-x 2 root root 46 Aug 16 2017 contrib
-rw-rw-r-- 1 root root 1452 Aug 16 2017 CONTRIBUTING.md
drwxrwxr-x 2 root root 20 Aug 16 2017 examples
-rw-rw-r-- 1 root root 2622 Aug 16 2017 FILEFORMAT
-rw-rw-r-- 1 root root 11358 Aug 16 2017 LICENSE
-rw-rw-r-- 1 root root 2231 Aug 16 2017 Makefile.am
-rw-r--r-- 1 root root 80110 Aug 17 20:35 Makefile.in
drwxrwxr-x 2 root root 140 Aug 16 2017 man
-rw-rw-r-- 1 root root 7155 Aug 16 2017 README.md
drwxrwxr-x 2 root root 158 Aug 16 2017 src
drwxrwxr-x 2 root root 49 Aug 16 2017 tests
-rw-rw-r-- 1 root root 9423 Aug 16 2017 totp.html
drwxrwxr-x 2 root root 41 Aug 16 2017 utc-time
# 5.生成
[root@web01 google-authenticator-libpam-1.04]# ./configure
# 6.编译 && 安装
[root@web01 google-authenticator-libpam-1.04]# make && make install
# 7.检查插件是否安装
[root@web01 google-authenticator-libpam-1.04]# ll /usr/local/lib/security/
total 136
-rwxr-xr-x 1 root root 1021 Aug 17 20:37 pam_google_authenticator.la
-rwxr-xr-x 1 root root 133480 Aug 17 20:37 pam_google_authenticator.so
# 8.将安装好的插件,拷贝到系统库文件目录中
[root@web01 google-authenticator-libpam-1.04]# cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/
# 9.生成初始google认证识别码
[root@web01 google-authenticator-libpam-1.04]# google-authenticator
打开手机谷歌双向认证app 扫描生成的二维码 或者 输入生成的密钥
将Google 2FA接入SSH
# 1.修改ssh认证配置
[root@web01 google-authenticator-libpam-1.04]# vim /etc/pam.d/sshd
#%PAM-1.0 # 第一个区域内添加以下内容
auth required pam_google_authenticator.so
# 2.修改SSH配置文件,关联Google认证
[root@m01 ~]# vim /etc/ssh/sshd_config
69行ChallengeResponseAuthentication No 改成ChallengeResponseAuthentication yes
或者注释69行删除68行注释
# 3.重启sshd服务
[root@web01 google-authenticator-libpam-1.04]# systemctl restart sshd
## 验证
[root@web01 google-authenticator-libpam-1.04]# ssh root@10.0.0.7
The authenticity of host '10.0.0.7 (10.0.0.7)' can't be established.
ECDSA key fingerprint is SHA256:5KRH49USplFqTLegk1cdAiaJ7C1EJR+PjWAswdkRE8E.
ECDSA key fingerprint is MD5:b3:4f:97:67:42:72:0d:12:d2:69:3c:86:9e:2c:fd:fa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.7' (ECDSA) to the list of known hosts.
Password:
Verification code:
Last login: Thu Aug 17 20:32:15 2023 from 10.0.0.1
Comments | NOTHING