[svc]ssh+gg二步认证
1,安装依赖
yum install python-pip -y
pip install docutils
yum install gcc python-devel subversion pam pam-devel -y
2,下载git包
cd /home/lanny/tools/
unzip google-authenticator-master.zip
cd google-authenticator-master
cd libpam/
./bootstrap.sh
./configure
make
make install
3,配置文件
ll /lib64/security
google-authenticator,则复制到/usr/local/bin
ll /usr/local/bin/google-authenticator
#pl2pm /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
4,为root用户生成google验证码
[root@vpnserver ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@vpnserver%3Fsecret%3D7ZSEKQI6W7GJXDDBEBJJINHY3Q%26issuer%3Dvpnserver
Your new secret key is: 7ZSEKQI6W7GJXDDBEBJJINHY3Q
Your verification code is 496552
Your emergency scratch codes are:
70752164
63976717
73442435
67261408
95454901
修改pam.d
[root@vpnserver pam.d]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_google_authenticator.so <---追加
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
=================================================
修改ssh配置:
vim /etc/ssh/sshd_config
83 ChallengeResponseAuthentication yes
测试:手机下载google身份验证器,登陆(root用户哦)
====================================================
为jss生成:
jss 密码 sss
===============
[jss@vpnserver ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/jss@vpnserver%3Fsecret%3DLNS6P7ONML6LCOFPKXW4OFWYS4%26issuer%3Dvpnserver
Your new secret key is: LNS6P7ONML6LCOFPKXW4OFWYS4
Your verification code is 755883
Your emergency scratch codes are:
41886633
49746589
44517353
13151010
41992403
=========================
注意:
1.如果无法登陆
cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
2,
Google身份验证器每隔三十秒就会变的。这就实现了动态验证码的功能。
3,5个紧急验证码,用一个少一个.
4,
默认情况下,令牌只在30秒内有效,由于客户端和服务器时间不完全一致的因素,可以将时间窗口加大到最长4分钟
5,是否限制尝试次数,每30秒只能尝试最多3次:
6, google-authenticator针对单用户
回滚为初始ssh状态
[root@vpnserver ~]# cat /etc/pam.d/ssh
cat: /etc/pam.d/ssh: No such file or directory
[root@vpnserver ~]# cat /etc/pam.d/sshd
#%PAM-1.0
#auth required pam_google_authenticator.so # 注释掉即可