Google雙向認證
阿新 • • 發佈:2022-05-25
目錄
Google雙向認證
GoogleAuthenticator(谷歌身份驗證器)介紹:
一般來說,使用ssh遠端登入伺服器,只需要輸入賬號和密碼,顯然這種方式不是很安全。為了安全著想,可以使用GoogleAuthenticator(谷歌身份驗證器),以便在賬號和密碼之間再增加一個驗證碼,只有輸入正確的驗證碼之後,再輸入密碼才能登入。這樣就增強了ssh登入的安全性。賬號、驗證碼、密碼三者缺一個都不能登入,即使賬號和密碼正確,驗證碼錯誤,同樣登入失敗。其中,驗證碼是動態驗證碼,並且是通過手機客戶端自動獲取(預設每隔30秒失效一次)
GoogleAuthenticator安裝部署:
# 1.安裝依賴 [root@m01 ~]# yum -y install pam-devel libpng-devel autoconf automake libtool # 2.下載Google apm外掛 ## 官方下載地址 [root@m01 opt]# wget https://github.com/google/google-authenticator-libpam/archive/1.04.tar.gz ## 個人下載地址 [root@m01 ~]# wget http://test.driverzeng.com/other/1.04.tar.gz # 3.解壓外掛 [root@m01 ~]# tar xf 1.04.tar.gz # 4.構建程式碼 ## 進入解壓開的目錄 [root@m01 ~]# cd google-authenticator-libpam-1.04/ ## 執行bootstrap構建 [root@m01 google-authenticator-libpam-1.04]# ./bootstrap.sh # 5.生成 [root@m01 google-authenticator-libpam-1.04]# ./configure # 6.編譯 && 安裝 [root@m01 google-authenticator-libpam-1.04]# make && make install # 7.檢查外掛是否安裝 [root@m01 google-authenticator-libpam-1.04]# ll /usr/local/lib/security/ -rwxr-xr-x 1 root root 1021 May 25 09:15 pam_google_authenticator.la -rwxr-xr-x 1 root root 133552 May 25 09:15 pam_google_authenticator.so # 8.將安裝好的外掛,拷貝到系統庫檔案目錄中 [root@m01 ~]# cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/ # 9.生成初始google認證識別碼 [root@m01 ~]# google-authenticator ## 認證令牌是否隨時間變化 Do you want authentication tokens to be time-based (y/n) y Your new secret key is: 7WHLC4Z6LT3W4BTK6OR2AVCR7E Your verification code is 020267 Your emergency scratch codes are: 81061642 20695747 19608008 26971435 40551289 ##是否更新google_authenticator Do you want me to update your "/root/.google_authenticator" file? (y/n)
手機下載GoogleAuthenticator掃碼生成動態認證令牌
將Goole 2FA接入SSH
# 1.修改ssh認證配置
[root@m01 ~]# vim /etc/pam.d/sshd
auth required pam_google_authenticator.so
# 2.修改SSH配置檔案,關聯Google認證
[root@m01 ~]# vim /etc/ssh/sshd_config
69 ChallengeResponseAuthentication yes
# 3.重啟sshd服務
[root@m01 ~]# systemctl restart sshd
使用Python指令碼登入CRT:
# $language = "python"
# $interface = "1.0"
import hmac, base64, struct, hashlib, time,re
#獲取當前指令碼所在的tab物件
objTab = crt.GetScriptTab()
#objTab = crt.GetActiveTab()
objTab.Screen.Synchronous = True
objTab.Screen.IgnoreEscape = True
#獲取終端名字
tabName=objTab.Caption
reIp=r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
hostIp=re.findall(reIp,tabName)[0]
secretKey="NJZ4E6D7JHMIYLK5MFJLSWYDSE"
def calGoogleCode(secretKey):
#secreKey 需要是8的倍數
t = int(time.time())//30
lens = len(secretKey)
lenx = 8 - (lens % 4 if lens % 4 else 4)
secretKey += lenx * '='
key = base64.b32decode(secretKey)
msg = struct.pack(">Q", t)
googleCode = hmac.new(key, msg, hashlib.sha1).digest()
o = ord(str(googleCode[19])) & 15
googleCode = str((struct.unpack(">I", googleCode[o:o+4])[0] & 0x7fffffff) % 1000000)
return googleCode.zfill(6)
def get_string(objTab,szStart,szPrompt):
objTab.Screen.WaitForStrings(szStart)
return objTab.Screen.ReadString(szPrompt)
def send_string(objTab,waitString,strings,selfSleepTime=20):
objTab.Screen.WaitForStrings(waitString)
time.sleep(0.0001)
for i in strings:
crt.Sleep(5)
objTab.Screen.Send(i)
# time.sleep(0.0001)
objTab.Screen.WaitForStrings(strings)
if strings[-1] != '\r':
objTab.Screen.Send('\r')
#msg(objTab.Screen.ReadString('[ q ]'))
# time.sleep(0.0001)
def send_pass(objTab,waitString,strings):
objTab.Screen.WaitForStrings(waitString)
for i in strings:
crt.Sleep(5)
objTab.Screen.Send(i)
if strings[-1] != '\r':
objTab.Screen.Send('\r')
time.sleep(0.01)
#傳送2fa
send_pass(objTab,'Verification code:',calGoogleCode(secretKey))
## 傳送密碼
send_pass(objTab,'Password: ','1') # '1' 是伺服器的密碼
#傳送登入ip
send_string(objTab,'Opt> ',hostIp)
#objTab.Screen.WaitForStrings("[MFA auth]: ","")
#if objTab.Screen.WaitForStrings("Opt> ",1):
# #傳送登入ip 克隆會話,不需要二次驗證碼
# send_string(objTab,'Opt> ',hostIp)
#else:
# #傳送2fa
# send_pass(objTab,'[MFA auth]: ',calGoogleCode(secretKey))
# #傳送登入ip
# send_string(objTab,'Opt> ',hostIp)