setenforce 0
打开selinux的配置文件,修改配置,使重启后依然关闭selinux
vim /etc/selinux/config SELINUX=disabled
yum install -y autoconf automake libtool pam-devel git qrencode
3.安装google-authenticator
git clone https://github.com/google/google-authenticator-libpam.git
进入google-authenticator-libpam目录
cd google-authenticator-libpam/
编译并安装
./bootstrap.sh && ./configure && make && make install
复制google 身份验证器pam模块到系统下
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
如果执行不成功使用一下方法复制
cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
4.修改SSH服务配置/etc/pam.d/sshd
vim /etc/pam.d/sshd
如下位置第三行添加:auth required pam_google_authenticator.so
#%PAM-1.0 auth required pam_sepermit.so auth required pam_google_authenticator.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth ~
:wq!保存退出
修改SSH服务配置/etc/ssh/sshd_config
ChallengeResponseAuthentication no 改为Yes
vim /etc/ssh/sshd_config
编辑/etc/ssh/sshd_config为(CentOS 6版本不需要最后一句内容)
. . . # Change to no to disable s/key passwords ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no . . . AuthenticationMethods publickey,password publickey,keyboard-interactive
:wq!保存退出
5.重启SSH服务
a)RHEL 6 / Centos6
service sshd restart
b)RHEL7 /Centos 7
systemctl resart sshd
6.系统配置安装完成,开始使用google authenticator PAM插件为ssh登录账号生成动态验证码验证。
注意:哪个账号需要动态验证码,请切换到该账号下操作
a)切换到需要验证的系统账户,本案例使用root用户。
b)运行程序
接下来安装提示操作
google-authenticator #运行此命令 Do you want authentication tokens to be time-based (y/n) y #提示是否要基于时间生成令牌,选择y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/osyunwei@osyunwei%3Fsecret%3DAXNRWARYQPHI5EAJ Your new secret key is: AXNRWARYQPHI5WYU Your verification code is 199255 Your emergency scratch codes are: 21767982 60638828 24009000 44681673 28015662 #上面的网址为生成的二维码图形地址(需要翻墙才能打开),还会生成密钥,以及5个紧急验证码(当无法获取动态验证码时使用,注意:这5个验证码用一个就会少一个!请保存好!) Do you want me to update your "/home/jss/.google_authenticator" file (y/n) y #提示是否要更新验证文件,选择y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y #禁止使用相同口令 By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n #默认动态验证码在30秒内有效,由于客户端和服务器可能会存在时间差,可将时间增加到最长4分钟,是否要这么做:这里选择是n,继续默认30秒 If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y #是否限制尝试次数,每30秒只能尝试最多3次,这里选择y进行限制
7.新建ssh连接(不要关闭当前的防止无法访问)测试配置是否成功。
本文由 podipod软库网 作者:DevOps 发表,转载请注明来源!