1. 程式人生 > >【Linux】使用Google Authenticator 實現ssh登入雙因素認證

【Linux】使用Google Authenticator 實現ssh登入雙因素認證

一般來說,使用ssh遠端登入伺服器,只需要輸入賬號和密碼,顯然這種方式不是很安全。為了安全著想,可以使用GoogleAuthenticator(谷歌身份驗證器),以便在賬號和密碼之間再增加一個驗證碼,只有輸入正確的驗證碼之後,再輸入密碼才能登入。這樣就增強了ssh登入的安全性。賬號、驗證碼、密碼三者缺一個都不能登入,即使賬號和密碼正確,驗證碼錯誤,同樣登入失敗。其中,驗證碼是動態驗證碼,並且是通過手機客戶端自動獲取(預設每隔30秒失效一次)

Google Authenticator開源版主頁 https://github.com/google/google-authenticator

一、Ubuntu安裝

1、安裝Google Authenticator

apt-get install libpam-google-authenticator

也可以通過原始碼編譯安裝

git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

注意:在Debian7中執行./configure時可能存在以下錯誤提示

configure: error: Unable to find the PAM library or the PAM header files

在此需要安裝libpam0g-devlibtool

apt-get -y install libpam0g-dev libtool

2、設定Google Authenticator

在手機端搜尋安裝 Google Authenticator

google-authenticator
Do you want authentication tokens to be time-based (y/n) y

然後出現二維碼,使用手機端Google Authenticator掃碼,接下來伺服器端繼續設定

如果沒有出現二維碼,可以將提示的以 

https://www.google.com/chart開頭的連線複製到瀏覽器中,就可以看到二維碼了

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

修改配置檔案

[email protected]:~# vim /etc/pam.d/sshd        #在第一行(即account    required     pam_nologin.so的下一行)增加以下程式碼  
auth required pam_google_authenticator.so
  
[email protected]:~#  vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes          #修改no為yes
  
[email protected]:~#  service ssh restart

3、手機安裝Google身份驗證器

見Centos安裝步驟

4、登入

再次登入的話輸入使用者名稱後就跟著提示兩部驗證碼,然後才輸入使用者密碼,如下:

[email protected]:~$ ssh [email protected] -p65322
The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established.
RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts.
Verification code: 
Password: 
Last login: Tue Jan  8 16:55:15 2019 from 121.157.126.116

Welcome to aliyun Elastic Compute Service!

[[email protected] ~]#  

二、Centos安裝

1、關閉SELINUX

[[email protected] ~]# vim /etc/selinux/config      #永久關閉。需要reboot重啟後生效
SELINUX=enforcing 改為 SELINUX=disabled
 
[[email protected] ~]# setenforce 0   #臨時性關閉。不需要reboot重啟

2、安裝編輯工具包

[[email protected] ~]# yum install wget gcc make  pam-devel libpng-devel
[[email protected] ~]# yum -y install google-authenticator  qrencode mercurial

3、配置ssh服務呼叫google authenticator PAM外掛

[[email protected] ~]# vim /etc/pam.d/sshd       #在第一行(即auth       required pam_sepermit.so的下一行)增加以下程式碼  
auth required pam_google_authenticator.so
  
[[email protected]test ~]# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes          #修改no為yes
  
[[email protected] ~]# service sshd restart

4、使用google authenticator PAM外掛為ssh登入賬號生成動態驗證碼

注意:哪個賬號需要動態驗證碼,請切換到該賬號下操作。(可以在不同使用者下執行這個命令以生成各自的二次驗證碼)

[[email protected] ~]# google-authenticator

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DD76NMSG26PAUJGAR



Your new secret key is: D76NMSG26PAUJGAR
Your verification code is 829676
Your emergency scratch codes are:
51322579
63010483
39007873
32360318
54935046

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

5、手機安裝Google身份驗證器

通過此工具掃描上一步生成的二維碼圖形,獲取動態驗證碼。
在App Store裡直接可以下載Authenticator

 

然後掃描上面在伺服器上生成的二維碼,每個使用者都會有一個單獨的二維碼

接著在ssh的客戶端裡設定,如下,設定"Keyboard Interactive"方式登入

然後再次連線的時候,就會提示先輸入二次身份驗證碼,再輸入使用者密碼。

 

在Linux客戶機上遠端登入,效果一樣:

[email protected]:~$ ssh [email protected] -p65322
The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established.
RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts.
Verification code: 
Password: 
Last login: Tue Jan  8 16:55:15 2019 from 121.157.126.116

Welcome to aliyun Elastic Compute Service!

[[email protected] ~]#