为了增强安全需要两步验证(two-factor authentication)。 本文说说如何使用Google Authenticator + SSH public key 等服务器进行两步验证。
依赖关系
yum install git pam-devel make gcc-c++ wget -y
google authenticator
yum install google-authenticator
需要先安装EPEL源。或者源码安装,如下:文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
cd google-authenticator/libpam ./bootstrap.sh make && make install
google-authenticator生成密钥信息
google-authenticator Do you want authentication tokens to be time-based (y/n) y 二维码地址 https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost%3Fsecret%XXXXXXXXXXXXXX Your new secret key is: XXXXXXXXXXXX Your verification code is 000000 紧急码,只能使用一次 Your emergency scratch codes are: 80801116 43011118 34981118 88321117 93711113 Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y #每30秒生成一个token By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
生成的5个一次性紧急验证码,用于紧急情况下,使用过一次后该验证码即失效了。文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
配置ssh使用google authenticator
vi /etc/pam.d/sshd auth sufficient pam_google_authenticator.so #auth include password-auth
添加一行并注释一行。文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
vi /etc/ssh/sshd_config PubkeyAuthentication yes ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive PasswordAuthentication no UsePAM yes
重启sshd服务。文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
可能会报如下错误:文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
Starting sshd: /etc/ssh/sshd_config: line 89: Bad configuration option: AuthenticationMethods
/etc/ssh/sshd_config: terminating, 1 bad configuration options文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
是由于OpenSSH 版本6.2以上才支持AuthenticationMethods。需要改成下面的参数:文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
RequiredAuthentications2 publickey,keyboard-interactive文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
手机端安装Google authenticator
Andorid版 https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
iOS版 https://itunes.apple.com/cn/app/google-authenticator/id388497605文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
手机端打开google 身份验证器,扫二维码或者输入secret key文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
也可以安装chrome的google authenticator扩展。文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
ssh登录服务器就会提示你输入Verification code:文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
secureCRT设置
文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
keyboard interactive需要放在第一位。文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
注意:使用password + google authenticator,如果使用公钥登录的话,会跳过google authenticator验证直接登录服务器的。文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/ 文章源自运维生存时间-https://www.ttlsa.com/safe/google-authenticator-ssh-public-key-otp/
1F
我按如上配置,第一步弹出Verification code输入框,第二步弹出的是密码输入框,而不是公钥验证,是怎么回事呢,不是禁止了密码验证码?