当 Google 的离线数字认证普及开后,我们其实可以将 VPS 都使用 Google 验证器的验证代码进行认证。
安装流程
1 、安装 Google-Authenticator
先安装 Google 验证,使用 Yum 方式安装即可
yum install google-authenticator
2 、将 Google-Authenticator 和设备绑定
运行 google-authenticator,类似如下界面
Do you want authentication tokens to be time-based (y/n) y 二维码区域 二维码区域 二维码区域 二维码区域 Your new secret key is: FFFFFFFFFFFFFFFFFFFFFFFFFF Your verification code is 666666 Your emergency scratch codes are: 11111111 22222222 33333333 44444444 55555555 Do you want me to update your "/root/.google_authenticator" file? (y/n) n Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
3 、修改 PAM 配置文件添加以允许 Google 验证器方式认证
sudo vim /etc/pam.d/sshd
#%PAM-1.0 auth required pam_google_authenticator.so
vim /etc/ssh/sshd_config
#允许返回认证提示消息 ChallengeResponseAuthentication yes #认证类型 (采用证书和键盘输入认证) AuthenticationMethods publickey,keyboard-interactive
最后重启 SSH 服务
systemctl restart sshd.service相关修改
GoogleAuthenticator 在 SSH 认证中会自带密码认证,所以有以下问题
1 、证书+密码+Google 验证器
#%PAM-1.0 auth required pam_google_authenticator.so auth substack password-auth
AuthenticationMethods publickey,keyboard-interactive
2 、证书+Google 验证器
#%PAM-1.0 auth required pam_google_authenticator.so #auth substack password-auth
AuthenticationMethods publickey,keyboard-interactive
3 、密码+Google 验证器
#%PAM-1.0 auth required pam_google_authenticator.so auth substack password-auth
AuthenticationMethods keyboard-interactive
以上是不同的认证方式所需要修改的情况。
参考文章
https://linux.cn/article-3725-1.html
https://www.cnblogs.com/hanyifeng/p/5516053.html
