【Linux】使用Google Authenticator 實現ssh登陸雙因素認證

通常來講，使用ssh遠程登陸服務器，只須要輸入帳號和密碼，顯然這種方式不是很安全。爲了安全着想，可使用GoogleAuthenticator(谷歌身份驗證器)，以便在帳號和密碼之間再增長一個驗證碼，只有輸入正確的驗證碼以後，再輸入密碼才能登陸。這樣就加強了ssh登陸的安全性。帳號、驗證碼、密碼三者缺一個都不能登陸，即便帳號和密碼正確，驗證碼錯誤，一樣登陸失敗。其中，驗證碼是動態驗證碼，而且是經過手機客戶端自動獲取（默認每隔30秒失效一次）

Google Authenticator開源版主頁 https://github.com/google/google-authenticator

1、Ubuntu安裝

一、安裝Google Authenticator

apt-get install libpam-google-authenticator

也能夠經過源碼編譯安裝

git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

注意：在Debian7中執行./configure時可能存在如下錯誤提示

configure: error: Unable to find the PAM library or the PAM header files

在此須要安裝libpam0g-dev和libtool

apt-get -y install libpam0g-dev libtool

二、設置Google Authenticator

在手機端搜索安裝 Google Authenticator

google-authenticator
Do you want authentication tokens to be time-based (y/n) y

而後出現二維碼，使用手機端Google Authenticator掃碼,接下來服務器端繼續設置

若是沒有出現二維碼，能夠將提示的以 https://www.google.com/chart? 開頭的鏈接複製到瀏覽器中，就能夠看到二維碼了

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

修改配置文件

root@test:~# vim /etc/pam.d/sshd        #在第一行（即account    required     pam_nologin.so的下一行）增長如下代碼  
auth required pam_google_authenticator.so
  
root@test:~#  vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes          #修改no爲yes
  
root@test:~#  service ssh restart

三、手機安裝Google身份驗證器

見Centos安裝步驟

四、登陸

再次登陸的話輸入用戶名後就跟着提示兩部驗證碼，而後才輸入用戶密碼，以下：

root@test1:~$ ssh root@120.17.144.148 -p65322
The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established.
RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts.
Verification code: 
Password: 
Last login: Tue Jan  8 16:55:15 2019 from 121.157.126.116

Welcome to aliyun Elastic Compute Service!

[root@test2 ~]#  

2、Centos安裝

一、關閉SELINUX

[root@test ~]# vim /etc/selinux/config      #永久關閉。須要reboot重啓後生效
SELINUX=enforcing 改成 SELINUX=disabled
 
[root@test ~]# setenforce 0   #臨時性關閉。不須要reboot重啓

二、安裝編輯工具包

[root@test ~]# yum install wget gcc make  pam-devel libpng-devel
[root@test ~]# yum -y install google-authenticator  qrencode mercurial

三、配置ssh服務調用google authenticator PAM插件

[root@test ~]# vim /etc/pam.d/sshd       #在第一行（即auth       required pam_sepermit.so的下一行）增長如下代碼  
auth required pam_google_authenticator.so
  
[root@test ~]# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes          #修改no爲yes
  
[root@test ~]# service sshd restart

四、使用google authenticator PAM插件爲ssh登陸帳號生成動態驗證碼

注意：哪一個帳號須要動態驗證碼，請切換到該帳號下操做。（能夠在不一樣用戶下執行這個命令以生成各自的二次驗證碼）

[root@test ~]# google-authenticator

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@iZ23e3f2jdcZ%3Fsecret%3DD76NMSG26PAUJGAR



Your new secret key is: D76NMSG26PAUJGAR
Your verification code is 829676
Your emergency scratch codes are:
51322579
63010483
39007873
32360318
54935046

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

五、手機安裝Google身份驗證器

經過此工具掃描上一步生成的二維碼圖形，獲取動態驗證碼。
在App Store裏直接能夠下載Authenticator

 

而後掃描上面在服務器上生成的二維碼，每一個用戶都會有一個單獨的二維碼

接着在ssh的客戶端裏設置，以下，設置"Keyboard Interactive"方式登陸

而後再次鏈接的時候，就會提示先輸入二次身份驗證碼，再輸入用戶密碼。

 

在Linux客戶機上遠程登陸，效果同樣：

root@test1:~$ ssh root@120.17.144.148 -p65322
The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established.
RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts.
Verification code: 
Password: 
Last login: Tue Jan  8 16:55:15 2019 from 121.157.126.116

Welcome to aliyun Elastic Compute Service!

[root@test2 ~]#