欢迎光临
我们一直在努力

使用Google Authenticator两步验证加强SSH登录

Google Authenticator开源版主页 https://github.com/google/google-authenticator

安装Google Authenticator

Ubuntu已经包含libpam-google-authenticator软件(Ubuntu 11.10以上版本),可以a直接使用apt-get安装

Shell

1
aptget install libpamgoogleauthenticator

其他系统可以通过源码编译安装

Shell

1
2
3
4
5
git clone https://github.com/google/googleauthenticator.git
a./bootstrap.sh
./configure
make
make install

注意:在Debian7中执行./configure时可能存在以下错误提示

configure: error: Unable to find the PAM library or the PAM header files

在此需要安装libpam0g-dev和libtool

Shell

1
aptget y install libpam0gdev libtool

 

设置Google Authenticator

在手机端搜索安装Google Authenticator

Shell

1
2
googleauthenticator
Do you want authentication tokens to be timebased (y/n) y

然后出现二维码,使用手机端Google Authenticator扫码,接下来服务器端继续设置

如果没有出现二维码,可以将提示的以https://www.google.com/chart?开头的连接复制到浏览器中,就可以看到二维码了

Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Do you want me to update your “/root/.google_authenticator” file (y/n) y
 
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent maninthemiddle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent maninthemiddle attacks (y/n) y
 
By default, tokens are good for 30 seconds and in order to compensate for
possible timeskew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
 
If the computer that you are logging into isnt hardened against bruteforce
login attempts, you can enable ratelimiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable ratelimiting (y/n) y

接下来将Google Authenticator验证配置到SSH登录中

编辑/etc/pam.d/sshd文件,添加下行保存

1
auth required pam_google_authenticator.so

编辑/etc/ssh/sshd_config找到下行

1
ChallengeResponseAuthentication no

更改为

1
ChallengeResponseAuthentication yes

重启SSH服务

1
service ssh restart

再次登录的话输入用户名后就跟着提示两部验证码,然后才输入用户密码,如下:

Shell

1
2
3
4
5
6
7
8
9
10
login as: root
Using keyboardinteractive authentication.
Verification code:
Using keyboardinteractive authentication.
Password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 2.6.32042stab108.8 i686)
 
* Documentation: https://help.ubuntu.com/
Last login: Thu Jan 28 15:04:20 2016 from 61.185.216.146
root@hkvps:~#

参考 https://wzyboy.im/post/765.html

赞(0) 打赏
未经允许不得转载:中国宏阔黑客联盟|白帽黑客|网络渗透技术|网站安全|移动安全|通信安全 » 使用Google Authenticator两步验证加强SSH登录
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏