Centos服务器安全配置SSH使用Google Authenticator二次验证
操作系统:CentOS6.5
系统所需组件:mercurial pam-devel Google Authenticator
安装CentOS所需组件:
[[email protected] ~]# yum install mercurial pam-devel
安装Google Authenticator:
[[email protected]~]#wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
CSDN下载链接:http://download.csdn.net/download/baibai6095/9976903
[[email protected] ~]# tar jxvflibpam-google-authenticator-1.0-source.tar.bz2
[[email protected] ~]# cdlibpam-google-authenticator-1.0
[[email protected] ~]# make&&make install
配置SSH登录时调用google-authenticator模块认证:
[[email protected] ~]#vim /etc/pam.d/sshd
第一行添加:
修改SSH配置文件:
[[email protected] ~]# vim /etc/ssh/sshd_config
重启SSH:
[[email protected] ~]#/etc/init.d/sshd restart
生成google-authenticator配置:
[[email protected] ~]# google-authenticator
Doyou want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DABEXG5K6CVB56BXY
网址链接为二维码,通过google-authenticator客户端扫描即可添加,需要翻墙打开
Yournew secret key is: www.haiyun.me
Yourverification code is 582849
Youremergency scratch codes are:
30776626
14200155
80795568
23936997
21919909
数字为应急码,一个只能用一次,可登陆服务器后重新生成
Doyou want me to update your "/root/.google_authenticator" file (y/n) y
软件默认配置文件更新
Doyou want to disallow multiple uses of the same authentication
token?This restricts you to one login about every 30s, but it increases
yourchances to notice or even prevent man-in-the-middle attacks (y/n) y
口令不可多次使用
Bydefault, tokens are good for 30 seconds and in order to compensate for
possibletime-skew between the client and the server, we allow an extra
tokenbefore and after the current time. If you experience problems with poor
timesynchronization, you can increase the window from its default
sizeof 1:30min to about 4min. Do you want to do so (y/n) n
软件客户端与服务器上的时间误差
Ifthe computer that you are logging into isn't hardened against brute-force
loginattempts, you can enable rate-limiting for the authentication module.
Bydefault, this limits attackers to no more than 3 login attempts every 30s.
Doyou want to enable rate-limiting (y/n) y
是否限制次数
Android和IOS系统安装google-authenticator客户端,扫描添加上方网址的二维码(需要翻墙),以后在登录服务器时输入账号密码的同时还需输入google-authenticator即时生成的验证码才能登录。
第三方登录软件(sourceCRT、Xshell)设置,默认情况无法登录