Google Authenticator介绍

通常我们直接通过ssh输入密码连接服务器，但这样很容易出现暴力破解情况，所以我们可以结合google的动态认证
+ssh密码，这样能够大大的提升登陆的安全。简单来说，就是当用户通过ssh登陆系统时，先输入google的随机验证
码，然后在输入服务器的ssh密码Google Authenticator介绍

GoogleAuthenticator安装部署

# 1.安装依赖
[root@web01 ~]# yum -y install pam-devel libpng-devel autoconf automake 

# 2.下载Google apm插件
## 官方下载地址
[root@web01 ~]# wget https://github.com/google/google-authenticator-libpam/archive/1.04.tar.gz

# 3.解压插件
[root@web01 ~]# tar xf 1.04.tar.gz 

# 4.构建代码
## 进入解压开的目录
[root@web01 ~]# cd google-authenticator-libpam-1.04/

## 执行bootstrap构建
[root@web01 google-authenticator-libpam-1.04]# ./bootstrap.sh
[root@web01 google-authenticator-libpam-1.04]# ll
total 608
-rw-r--r-- 1 root root  39614 Aug 17 20:35 aclocal.m4
drwxr-xr-x 2 root root    118 Aug 17 20:35 autom4te.cache
-rwxrwxr-x 1 root root    605 Aug 16  2017 bootstrap.sh
drwxrwxr-x 2 root root    244 Aug 17 20:35 build
-rw-r--r-- 1 root root   2736 Aug 17 20:35 config.h.in
-rwxr-xr-x 1 root root 439201 Aug 17 20:35 configure
-rw-rw-r-- 1 root root   1932 Aug 16  2017 configure.ac
drwxrwxr-x 2 root root     46 Aug 16  2017 contrib
-rw-rw-r-- 1 root root   1452 Aug 16  2017 CONTRIBUTING.md
drwxrwxr-x 2 root root     20 Aug 16  2017 examples
-rw-rw-r-- 1 root root   2622 Aug 16  2017 FILEFORMAT
-rw-rw-r-- 1 root root  11358 Aug 16  2017 LICENSE
-rw-rw-r-- 1 root root   2231 Aug 16  2017 Makefile.am
-rw-r--r-- 1 root root  80110 Aug 17 20:35 Makefile.in
drwxrwxr-x 2 root root    140 Aug 16  2017 man
-rw-rw-r-- 1 root root   7155 Aug 16  2017 README.md
drwxrwxr-x 2 root root    158 Aug 16  2017 src
drwxrwxr-x 2 root root     49 Aug 16  2017 tests
-rw-rw-r-- 1 root root   9423 Aug 16  2017 totp.html
drwxrwxr-x 2 root root     41 Aug 16  2017 utc-time

# 5.生成
[root@web01 google-authenticator-libpam-1.04]# ./configure

# 6.编译 && 安装
[root@web01 google-authenticator-libpam-1.04]# make && make install

# 7.检查插件是否安装
[root@web01 google-authenticator-libpam-1.04]# ll /usr/local/lib/security/
total 136
-rwxr-xr-x 1 root root   1021 Aug 17 20:37 pam_google_authenticator.la
-rwxr-xr-x 1 root root 133480 Aug 17 20:37 pam_google_authenticator.so

# 8.将安装好的插件，拷贝到系统库文件目录中
[root@web01 google-authenticator-libpam-1.04]# cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/

# 9.生成初始google认证识别码
[root@web01 google-authenticator-libpam-1.04]# google-authenticator

打开手机谷歌双向认证app 扫描生成的二维码 或者 输入生成的密钥

将Google 2FA接入SSH

# 1.修改ssh认证配置
[root@web01 google-authenticator-libpam-1.04]# vim /etc/pam.d/sshd
#%PAM-1.0     # 第一个区域内添加以下内容
auth       required     pam_google_authenticator.so

# 2.修改SSH配置文件，关联Google认证
[root@m01 ~]# vim /etc/ssh/sshd_config
69行ChallengeResponseAuthentication No 改成ChallengeResponseAuthentication yes
或者注释69行删除68行注释

# 3.重启sshd服务
[root@web01 google-authenticator-libpam-1.04]# systemctl restart sshd

## 验证
[root@web01 google-authenticator-libpam-1.04]# ssh root@10.0.0.7
The authenticity of host '10.0.0.7 (10.0.0.7)' can't be established.
ECDSA key fingerprint is SHA256:5KRH49USplFqTLegk1cdAiaJ7C1EJR+PjWAswdkRE8E.
ECDSA key fingerprint is MD5:b3:4f:97:67:42:72:0d:12:d2:69:3c:86:9e:2c:fd:fa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.7' (ECDSA) to the list of known hosts.
Password: 
Verification code: 
Last login: Thu Aug 17 20:32:15 2023 from 10.0.0.1

CRT配置