Google Autheticator介绍
通常我们直接通过ssh
输入密码连接服务器,但这样很容易出现密码泄露情况,所以我们可以结合google的动态认证
+ssh密码
,这样能够大大的提升登陆的安全。简单 来说,就是当用户通过ssh登陆系统时,先输入google 的随机验证码
,然后在输入服务器的ssh密码
Google Autheticator部署
# 安装依赖
yum -y install pam-devel libpng-devel autoconf automake libtool
# 下载安装包
wget http://test.driverzeng.com/other/1.04.tar.gz
# 解压压缩包
tar xf 1.04.tar.gz
# 进入google-authenticator-libpam-1.04目录下
cd google-authenticator-libpam-1.04/
# 构建
[root@lb02 google-authenticator-libpam-1.04]#./bootstrap.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'.
libtoolize: copying file `build/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
libtoolize: copying file `build/libtool.m4'
libtoolize: copying file `build/ltoptions.m4'
libtoolize: copying file `build/ltsugar.m4'
libtoolize: copying file `build/ltversion.m4'
libtoolize: copying file `build/lt~obsolete.m4'
configure.ac:11: installing 'build/config.guess'
configure.ac:11: installing 'build/config.sub'
configure.ac:8: installing 'build/install-sh'
configure.ac:8: installing 'build/missing'
Makefile.am: installing 'build/depcomp'
parallel-tests: installing 'build/test-driver'
# 生成
./configure
# 编译安装
make && make install
# 查看插件是否安装
ll /usr/local/lib/security/
-rwxr-xr-x 1 root root 1021 Apr 18 11:23 pam_google_authenticator.la
-rwxr-xr-x 1 root root 133552 Apr 18 11:23 pam_google_authenticator.so
# 将安装好的插件,拷贝至系统库中
cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/
# 生成Google认证识别码
google-authenticator
##认证令牌是否随着时间变化
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your /root/.google_authenticator file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
改名为用户名@主机IP
将gooogle 2FA 加入到SSh
vim /etc/pam.d/sshd
# 修改ssh的配置文件,关联谷歌
vim /etc/ssh/sshd_config
:69
ChallengeResponseAuthentication yes
# 重启服务
systemctl restart sshd
如何验证
[root@lb02 google-authenticator-libpam-1.04]# ssh root@10.0.0.6
The authenticity of host '10.0.0.6 (10.0.0.6)' can't be established.
ECDSA key fingerprint is SHA256:VPW92P67TtEKcpIlM1gLyXvaM7dm0HXg/1jQD0ccpFI.
ECDSA key fingerprint is MD5:13:53:f1:ec:55:0e:47:b7:70:95:85:3d:5f:59:bf:5c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.6' (ECDSA) to the list of known hosts.
Verification code:# google认证码
Password: # ssh密码
Last login: Tue Apr 18 11:10:17 2023 from 10.0.0.1
xshell中的Google双向验证