使用 Google 验证器进行二次认证

当 Google 的离线数字认证普及开后，我们其实可以将 VPS 都使用 Google 验证器的验证代码进行认证。

安装流程

1 、安装 Google-Authenticator

先安装 Google 验证，使用 Yum 方式安装即可

yum install google-authenticator

2 、将 Google-Authenticator 和设备绑定

运行 google-authenticator，类似如下界面

Do you want authentication tokens to be time-based (y/n) y

二维码区域
二维码区域
二维码区域
二维码区域

Your new secret key is: FFFFFFFFFFFFFFFFFFFFFFFFFF
Your verification code is 666666
Your emergency scratch codes are:
  11111111
  22222222
  33333333
  44444444
  55555555

Do you want me to update your "/root/.google_authenticator" file? (y/n) n

Do you want to disallow multiple uses of the same authentication
 token? This restricts you to one login about every 30s, but it increases
 your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Do you want to disallow multiple uses of the same authentication
 token? This restricts you to one login about every 30s, but it increases
 your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds. In order to compensate for
 possible time-skew between the client and the server, we allow an extra
 token before and after the current time. If you experience problems with
 poor time synchronization, you can increase the window from its default
 size of +-1min (window size of 3) to about +-4min (window size of
 17 acceptable tokens).
 Do you want to do so? (y/n) n

If the computer that you are logging into isn't hardened against brute-force
 login attempts, you can enable rate-limiting for the authentication module.
 By default, this limits attackers to no more than 3 login attempts every 30s.
 Do you want to enable rate-limiting (y/n) y

3 、修改 PAM 配置文件添加以允许 Google 验证器方式认证

sudo vim /etc/pam.d/sshd

#%PAM-1.0
 auth required pam_google_authenticator.so

vim /etc/ssh/sshd_config

#允许返回认证提示消息
 ChallengeResponseAuthentication yes
#认证类型 (采用证书和键盘输入认证)
 AuthenticationMethods publickey,keyboard-interactive

最后重启 SSH 服务

systemctl restart sshd.service

相关修改

GoogleAuthenticator 在 SSH 认证中会自带密码认证，所以有以下问题

1 、证书+密码+Google 验证器

#%PAM-1.0 
auth required pam_google_authenticator.so
auth substack password-auth

AuthenticationMethods publickey,keyboard-interactive

2 、证书+Google 验证器

#%PAM-1.0 
auth required pam_google_authenticator.so
#auth substack password-auth

AuthenticationMethods publickey,keyboard-interactive

3 、密码+Google 验证器

#%PAM-1.0 
auth required pam_google_authenticator.so
auth substack password-auth

AuthenticationMethods keyboard-interactive

以上是不同的认证方式所需要修改的情况。

参考文章

https://linux.cn/article-3725-1.html
https://www.cnblogs.com/hanyifeng/p/5516053.html