使用Google-Authenticator加強Linux伺服器SSH登入安全性

轉自:http://blog.5skill.com/post/27

環境

CentOS release 6.2 x86_64

1.安裝依賴包

yum -y install gcc make pam-devel libpng-devel
Qrencode官網：http://fukuchi.org/works/qrencode/manual/index.html
Google-authenticator官網：http://code.google.com/p/google-authenticator/
           

2.安裝Qrencode二維碼生成工具

google authenticator就是通過調用Qrencode生成二維碼的

wget http://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz
tar zxf qrencode-3.3.1.tar.gz
cd qrencode-3.3.1
./configure --prefix=/usr
make && make install
           

3.安裝google authenticator

wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
make
make install
           

4.配置google authenticator

終端下執行google-authenticator指令，一路yes英文自己看，隻對目前使用者生效

[email protected]:/# google-authenticator 
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DIZIF2QDS6O4X5CCF
           

Your new secret key is: IZIF2QDS6O4X5CCF
Your verification code is 900004
Your emergency scratch codes are:
           

緊急密碼，當你手機暫時不能用可以使用緊急密碼，每個密碼隻能使用一次

56967667
  94239338
  29306791
  19462054
  39322681
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
           

5.安裝手機用戶端添加帳号

google play搜尋authenticator線上安裝手機用戶端

BarcodeScanner條碼掃描器下載下傳https://code.google.com/p/zxing/downloads/list

添加賬戶：

掃描條形碼安裝

手動添加賬戶安裝

賬戶名自定義，可以定義你伺服器主機名，多個賬戶便于識别，輸入google-authenticator生成的密鑰

，選擇基于時間添加 

Your new secret key is: LQOCS5HBDELWJANO

6.配置SSH調用Authenticator驗證登入

打開/etc/pam.d/sshd檔案，在首行加入以下代碼：

auth       required     pam_google_authenticator.so
           

打開/etc/ssh/sshd_config檔案，開啟身份認證

ChallengeResponseAuthentication no
           

改成

ChallengeResponseAuthentication yes
           

重新開機SSH服務使配置生效

/etc/init.d/sshd restart
           

SSH登入如下圖：

顯示這樣就成功了