centos6.5使用Google auth进行双因子认证
阿里云相关链接
https://www.aliyun.com/product/ecs?source=5176.11533457&userCode=kv73ipbs&type=copy
1、环境
系统:centos6.5 x86_64
[root@uu ~]# uname -a
Linux uu 2.6.32-642.el6.x86_64 #1 SMP Wed Apr 13 00:51:26 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
要求:
时间同步
关闭SELinux
2、安装
升级git
1.7.1版本过低,现在github不支持1.7.1的git 客户端的下载了,只有从网上下载高一点的版本,并安装。
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel -y yum install gcc perl-ExtUtils-MakeMaker -y yum remove git -y yum update -y nss curl libcurl cd /usr/src wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz --no-check-certificate tar xzf git-2.1.2.tar.gz cd git-2.1.2 make prefix=/usr/local/git all make prefix=/usr/local/git install echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc source /etc/bashrc #配置git不认证https git config --global http.sslVerify false
3、安装Google auth
yum install -y git automake libtool pam-devel -y git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/ ./bootstrap.sh ./configure make && make install cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
4、安装认证二维码
这一步可不做,没有图形二维码就手动输入程序给出的密钥。
yum install -y git qrencode
5、配置ssh服务
5.1、修改/etc/pam.d/sshd
在/etc/pam.d/sshd里添加下面这条【#放在auth include password-auth之前】
vim /etc/pam.d/sshd
auth required pam_google_authenticator.so no_increment_hotp
5.2、修改/etc/ssh/sshd_config
vim /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
/etc/init.d/sshd restart
6、配置Google auth
google-authenticator
6.1、添加主机
有2种方式:
输入“y”后,会有一个二维码
1、用手机谷歌验证器扫描这个二维码即可添加主机。
2、手动输入二维码下面的密钥添加。
然后剩下的会出现5个问题,根据提示全部选“y”即可。
6.2、客户端
我的是华为手机,贴一下华为应用市场的链接
http://a.vmall.com/uowap/index.html#/detailApp/C63790
APP在应用市场搜索谷歌认证器。
可根据需要添加多个客户端。
7、登录
输入手机动态口令
输入登录用户的密码
8、说明
[root@uu ~]# google-authenticator Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@uu%3Fsecret%3DJQPBXCQ5UJEARJDKW56QG7PX5M%26issuer%3Duu
Your new secret key is: JQPBXCQ5UJEARJDKW56QG7PX5M
Enter code from app (-1 to skip): 441989
Code confirmed
Your emergency scratch codes are:
15017326
13268423
41466235
66165819
90381302
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
上述共需回答5个y
第1个:问你是否想做一个基于时间的令牌
第2个:是否更新你的google认证文件,由于第一次设置,所以一定选y
第3个:是否禁止口令多用,这里选择y,禁止它,以防止中间人欺骗。
第4个:默认情况,1个口令的有效期是30s,这里是为了防止主机时间和口令客户端时间不一致,设置的误差,可以选择y,也可选n,看要求严谨程度
第5个:是否打开尝试次数限制,默认情况,30s内不得超过3次登陆测试,防止别人暴力破解。
并且上面这些设置将被存储在用户的〜/.google_authenticator文件中,emergency scratch codes 中的5个代码是紧急代码,务必牢记,这是在你的动态口令无法使用的情况下使用的,记住,用一个失效一个。后期可以登陆上去后,重新生成!!