使用Google-Authenticator加强Linux服务器SSH登录安全性

转自:http://blog.5skill.com/post/27

环境

CentOS release 6.2 x86_64

1.安装依赖包

yum -y install gcc make pam-devel libpng-devel
Qrencode官网：http://fukuchi.org/works/qrencode/manual/index.html
Google-authenticator官网：http://code.google.com/p/google-authenticator/
           

2.安装Qrencode二维码生成工具

google authenticator就是通过调用Qrencode生成二维码的

wget http://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz
tar zxf qrencode-3.3.1.tar.gz
cd qrencode-3.3.1
./configure --prefix=/usr
make && make install
           

3.安装google authenticator

wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
make
make install
           

4.配置google authenticator

终端下执行google-authenticator命令，一路yes英文自己看，只对当前用户生效

[email protected]:/# google-authenticator 
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DIZIF2QDS6O4X5CCF
           

Your new secret key is: IZIF2QDS6O4X5CCF
Your verification code is 900004
Your emergency scratch codes are:
           

紧急口令，当你手机暂时不能用可以使用紧急口令，每个口令只能使用一次

56967667
  94239338
  29306791
  19462054
  39322681
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
           

5.安装手机客户端添加帐号

google play搜索authenticator在线安装手机客户端

BarcodeScanner条码扫描器下载https://code.google.com/p/zxing/downloads/list

添加账户：

扫描条形码安装

手动添加账户安装

账户名自定义，可以定义你服务器主机名，多个账户便于识别，输入google-authenticator生成的密钥

，选择基于时间添加 

Your new secret key is: LQOCS5HBDELWJANO

6.配置SSH调用Authenticator验证登录

打开/etc/pam.d/sshd文件，在首行加入以下代码：

auth       required     pam_google_authenticator.so
           

打开/etc/ssh/sshd_config文件，开启身份认证

ChallengeResponseAuthentication no
           

改成

ChallengeResponseAuthentication yes
           

重启SSH服务使配置生效

/etc/init.d/sshd restart
           

SSH登录如下图：

显示这样就成功了