轉自:http://blog.5skill.com/post/27
環境
CentOS release 6.2 x86_64
1.安裝依賴包
yum -y install gcc make pam-devel libpng-devel
Qrencode官網:http://fukuchi.org/works/qrencode/manual/index.html
Google-authenticator官網:http://code.google.com/p/google-authenticator/
2.安裝Qrencode二維碼生成工具
google authenticator就是通過調用Qrencode生成二維碼的
wget http://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz
tar zxf qrencode-3.3.1.tar.gz
cd qrencode-3.3.1
./configure --prefix=/usr
make && make install
3.安裝google authenticator
wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
make
make install
4.配置google authenticator
終端下執行google-authenticator指令,一路yes英文自己看,隻對目前使用者生效
[email protected]:/# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DIZIF2QDS6O4X5CCF
Your new secret key is: IZIF2QDS6O4X5CCF
Your verification code is 900004
Your emergency scratch codes are:
緊急密碼,當你手機暫時不能用可以使用緊急密碼,每個密碼隻能使用一次
56967667
94239338
29306791
19462054
39322681
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
5.安裝手機用戶端添加帳号
google play搜尋authenticator線上安裝手機用戶端
BarcodeScanner條碼掃描器下載下傳https://code.google.com/p/zxing/downloads/list
添加賬戶:
掃描條形碼安裝
手動添加賬戶安裝
賬戶名自定義,可以定義你伺服器主機名,多個賬戶便于識别,輸入google-authenticator生成的密鑰
,選擇基于時間添加
Your new secret key is: LQOCS5HBDELWJANO
6.配置SSH調用Authenticator驗證登入
打開/etc/pam.d/sshd檔案,在首行加入以下代碼:
auth required pam_google_authenticator.so
打開/etc/ssh/sshd_config檔案,開啟身份認證
ChallengeResponseAuthentication no
改成
ChallengeResponseAuthentication yes
重新開機SSH服務使配置生效
/etc/init.d/sshd restart
SSH登入如下圖:
顯示這樣就成功了