下载Google的身份验证模块:
# wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
解压缩并编译安装:
# tar xvf libpam-google-authenticator-1.0-source.tar.bz2
# cd libpam-google-authenticator-1.0
# make
# make install
而后,google的验证模块就会被复制到/lib64/security目录下,而用来生成密钥的可执行程序:google-authenticator,则复制到/usr/local/bin目录下,方便调用。
Tips:编译安装google-authenticator需要pam-devel依赖包,如果没有的话,请首先安装该依赖包。
比如,我们想为账户:liuke 增加一层额外的验证机制,则先通过google-authenticator生成密钥:
[liuke@localhost ~]$ google-authenticator Do you want authentication tokens to be time-based (y/n) y
首先会提示你,是否要基于时间生成令牌,选择Y,然后它会生成密钥,以及紧急状态使用的验证码(有5个,谨当无法获取验证码时使用,注意这些紧急验证码用一次就少一个的哟,所以这几个紧急验证码一定要保存好,关键时刻要派上大用场的),详细信息如下:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/jss@localhost.localdomain%3Fsecret%3D3V7K2ONO55DE56SD
Your new secret key is: 3V7K2ONO55DE56SD
Your verification code is
Your emergency scratch codes are:
然后会提示你是否要更新验证文件,肯定更新啊:
Do you want me to update your "/home/jss/.google_authenticator" file (y/n) y
提示是否禁止多次使用相同的令牌登录:
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
默认情况下,令牌只在30秒内有效,由于客户端和服务器时间不完全一致的因素,可以将时间窗口加大到最长4分钟,是否要这么做:
By default, tokens are good for seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of :30min to about 4min. Do you want to do so (y/n) y
是否限制尝试次数,每30秒只能尝试最多3次:
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
密钥生成好之后,下面修改PAM中关于ssh的配置,编辑/etc/pam.d/sshd文件:
# vim /etc/pam.d/sshd
增加一行:
auth required pam_google_authenticator.so
接下来再修改ssh的配置文件,编辑/etc/ssh/sshd_config文件:
# vim /etc/ssh/sshd_config
将ChallengeResponseAuthentication no修改为ChallengeResponseAuthentication yes
然后重新启动ssh服务:
当再次使用 liuke 用户以SSH方式登录时,就会提示输出验证码:
[root@localhost ~]# ssh liuke@192.168.33.126
Verification code:
那么,验证码从哪里来呢?在手机上安装一款名叫:Google身份验证器的应用。在打开的应用界面中新增帐户,然后会出现两个选择:扫描条形码(二维码),或者选择输出提供的密钥,任选其一即可。
这两项信息从哪里来呢?前面执行google-authenticator命令后首先输出的信息,那个HTTP的网址,打开你就会发现,原来它是个图片二维码,扫描即可。若网址打不开也没关系,选择密钥就OK了。
帐户添加完成后,你应该就能在手机上看到它生成的验证码了,先输入验证码,然后再输入密码,只有验证码和密码都输入正确,才能正常登录。
Password:
Last login: Tue Jan :: from 192.168.33.126
注意!!!输入验证码的时间最长只有30秒钟,超时之后该验证码就失效,需要到手机端获取新的验证码才行~