Google Authenticator
Google身份验证器是一款基于时间与哈希的一次性密码算法的两步验证软件令牌,此软件用于Google的认证服务。此项服务所使用的算法已列于 RFC 6238 和 RFC 4226 中。 Google身份验证器给予用户一个六位到八位的一次性密码用于进行登录Google或其他站点时的附加验证。其同样可以给第三方应用生成口令,例如密码管家程序或网络硬盘。先前版本的Google身份验证器开放源代码,但之后的版本以专有软件的形式公开
1.安装 Google Authenticator
yum -y install wget gcc make pam-devel libpng-devel
wget https://github.com/google/google-authenticator/archive/1.02.tar.gz
tar xf 1.02.tar.gz
cd google-authenticator-1.02/libpam/
./bootstrap.sh
./configure --prefix=/usr/local/google-authenticator
make && make install
安装完成后会在 /usr/local/google-authenticator/lib/security/pam_google_authenticator.so生成一个库文件 系统还会多在/usr/local/google-authenticator/bin目录生成一个google-authenticator可执行文件,通过运行该命令进行配置。
2.复制so文件
cp /usr/local/google-authenticator/lib/security/pam_google_authenticator.so /lib64/security/
3.安装配置 Google Authenticator
# 执行
/usr/local/google-authenticator/bin/google-authenticator
# 交互
# 是否基于时间的认证,为了防止不同跨时区的问题,这里选择n
Do you want authentication tokens to be time-based (y/n)
# 手机下载Authenticator App 扫描二维码
Your new secret key is: xxxxx
Your verification code is xxx
Your emergency scratch codes are:
xxx
xxx
xxx
xxx
xxx
# 这5个码用于在取不到或错的验证码有错时,用于应急用的。不过每个只能用一次,不能重复使用。 y
Do you want me to update your "/root/.google_authenticator" file? (y/n)
By default, three tokens are valid at any one time. This accounts for
generated-but-not-used tokens and failed login attempts. In order to
decrease the likelihood of synchronization problems, this window can be
increased from its default size of 3 to 17. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
4.SSH调用及客户端配置
# 添加pam认证,在第一行添加
vim /etc/pam.d/sshd
auth required pam_google_authenticator.so
# 修改sshd配置
vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
service sshd restart
Comments NOTHING