相關工具安裝

yum install google-authenticator -y

# 基本配置，切換到需要使用動態口令的使用者下面

PS:下面會生成5個緊急驗證碼(當無法獲取動態驗證碼或驗證碼不能使用時可以使用這5個)，這5個驗證碼用一個就會少一個！請儲存好！

Do you want me to update your "~/.google_authenticator" file (y/n) y

# 您是否希望不允許多次使用相同的身份驗證令牌?這限制了你每30秒只能登入一次，但是它增加了你注意到甚至防止中間人攻擊的機會
Do you want to disallow multiple uses of the same authentication
token
 
? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

# 預設情況下，令牌的有效時間為30秒，為了補償客戶端和伺服器之間可能的時間偏差，我們允許在當前時間之前和之後使用額外的令牌。
如果您遇到時間同步不足的問題，您可以將視窗的預設大小從1:30分鐘增加到大約4min。你想這樣做
By default, tokens are good for 30 seconds and in order to compensate for
 

possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

# 如果正在登入的計算機沒有對強制登入嘗試進行增強，那麼可以為身份驗證模組啟用速率限制。預設情況下，這限制了攻擊者每30秒登入嘗試不超過3次。是否要啟用速率限制

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

基本配置檔案修改

# 修改登陸認證模組載入 /etc/pam.d/sshd

# 修改SSH服務/etc/ssh/sshd_config

將ChallengeResponseAuthentication修改為yes

重啟服務，/etc/init.d/sshd restart

客戶端部分

手機下載google身份驗證器

IOS: https://apps.apple.com/cn/app/google-authenticator/id388497605