欢迎光临
我们一直在努力

Linux VPS安装Google Authenticator实现SSH登陆二次验证

说明:一般我们考虑到VPS的安全问题的时候,都是更改SSH端口和密码,然后更安全的也就是禁用密码使用密匙登录。方法很久前就水过了,这里再分享一个方法,可以在VPS上安装一个Google Authenticator(谷歌身份验证器),这样我们登录VPS的时候,不仅需要密码正确,而且还要你输入正确的动态验证码才能登录进去,这样安全性就高了不少,这里就说下CentOSDebianUbuntu的使用。

提示:教程需要配合Google身份验证器一起使用,手机没有安装该APP的需要安装一下,方便获取动态验证码。

安装

1、软件包安装

<span class="hljs-comment">#CentOS 6系统</span>
rpm -Uvh <span class="hljs-symbol">https:</span>/<span class="hljs-regexp">/dl.fedoraproject.org/pub</span><span class="hljs-regexp">/epel/epel</span>-release-latest-<span class="hljs-number">6</span>.noarch.rpm
yum install google-authenticator -y

<span class="hljs-comment">#CentOS 7系统</span>
rpm -Uvh <span class="hljs-symbol">https:</span>/<span class="hljs-regexp">/dl.fedoraproject.org/pub</span><span class="hljs-regexp">/epel/epel</span>-release-latest-<span class="hljs-number">7</span>.noarch.rpm
yum install google-authenticator -y

<span class="hljs-comment">#Debian/Ubuntu系统</span>
apt update
apt install libpam-google-authenticator -y

2、编译安装
安装依赖:

<span class="hljs-meta">#</span><span class="bash">CentOS系统</span>
yum install gcc make pam-devel libpng-devel libtool wget git autoconf automake qrencode -y
<span class="hljs-meta">
#</span><span class="bash">Debian/Ubuntu系统</span>
apt update
apt install -y gcc make autoconf automake libtool libpam0g-dev libqrencode3 git

安装验证器:

<span class="hljs-attribute">git</span> clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
./bootstrap.sh
./configure
make && make install

配置

1、配置验证器

google-authenticator

输出如下:

<span class="hljs-keyword">Do</span> you want <span class="hljs-keyword">authentication</span> tokens <span class="hljs-keyword">to</span> be <span class="hljs-keyword">time</span>-based (y/n) y
#验证二维码,在浏览器打开使用谷歌验证器APP扫描添加即可。
https://www.google.com/chart?chs=<span class="hljs-number">200</span>x200xxx
Your <span class="hljs-keyword">new</span> secret <span class="hljs-keyword">key</span> <span class="hljs-keyword">is</span>: WKDPJHOKR2P3DOWL
Your verification code <span class="hljs-keyword">is</span> <span class="hljs-number">189192</span>
#临时验证码,手机不在身边可以使用,不过一个码只能用一次
Your emergency scratch codes <span class="hljs-keyword">are</span>:
  <span class="hljs-number">77678926</span>
  <span class="hljs-number">14729443</span>
  <span class="hljs-number">83656478</span>
  <span class="hljs-number">55669982</span>
  <span class="hljs-number">23960253</span>

#下面可以直接照着填,或者自己使用谷歌翻译,然后自行选择
<span class="hljs-keyword">Do</span> you want me <span class="hljs-keyword">to</span> <span class="hljs-keyword">update</span> your <span class="hljs-string">"/root/.google_authenticator"</span> <span class="hljs-keyword">file</span> (y/n) y

<span class="hljs-keyword">Do</span> you want <span class="hljs-keyword">to</span> <span class="hljs-keyword">disallow</span> multiple uses <span class="hljs-keyword">of</span> the same <span class="hljs-keyword">authentication</span>
token? This restricts you <span class="hljs-keyword">to</span> one login about every <span class="hljs-number">30</span>s, but it increases
your chances <span class="hljs-keyword">to</span> <span class="hljs-keyword">notice</span> <span class="hljs-keyword">or</span> even prevent man-<span class="hljs-keyword">in</span>-the-middle attacks (y/n) y

<span class="hljs-keyword">By</span> <span class="hljs-keyword">default</span>, tokens <span class="hljs-keyword">are</span> good <span class="hljs-keyword">for</span> <span class="hljs-number">30</span> seconds <span class="hljs-keyword">and</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">order</span> <span class="hljs-keyword">to</span> compensate <span class="hljs-keyword">for</span>
possible <span class="hljs-keyword">time</span>-skew <span class="hljs-keyword">between</span> the <span class="hljs-keyword">client</span> <span class="hljs-keyword">and</span> the <span class="hljs-keyword">server</span>, we <span class="hljs-keyword">allow</span> an extra
token <span class="hljs-keyword">before</span> <span class="hljs-keyword">and</span> <span class="hljs-keyword">after</span> the <span class="hljs-keyword">current</span> time. <span class="hljs-keyword">If</span> you experience problems <span class="hljs-keyword">with</span> poor
<span class="hljs-keyword">time</span> synchronization, you can increase the window <span class="hljs-keyword">from</span> its <span class="hljs-keyword">default</span>
<span class="hljs-keyword">size</span> <span class="hljs-keyword">of</span> <span class="hljs-number">1</span>:<span class="hljs-number">30</span><span class="hljs-keyword">min</span> <span class="hljs-keyword">to</span> about <span class="hljs-number">4</span>min. <span class="hljs-keyword">Do</span> you want <span class="hljs-keyword">to</span> <span class="hljs-keyword">do</span> so (y/n) y

<span class="hljs-keyword">If</span> the computer that you <span class="hljs-keyword">are</span> <span class="hljs-keyword">logging</span> <span class="hljs-keyword">into</span> isn<span class="hljs-string">'t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
</span>

2、配置PAM文件
修改PAM配置文件:

<span class="hljs-attribute">nano</span> /etc/pam.d/sshd

在相应的位置添加auth required pam_google_authenticator.so代码,大概如下:

<span class="hljs-meta">#</span><span class="bash">CentOS 6在<span class="hljs-comment">#%PAM-1.0下面一行添加</span></span>
<span class="hljs-meta">#</span><span class="bash">CentOS 7在auth substack password-auth下面一行添加</span>
<span class="hljs-meta">#</span><span class="bash">Debian和Ubuntu在末尾添加</span>

然后使用Ctrl+xy保存退出。

或者直接使用命令添加:

<span class="hljs-comment">#CentOS 6系统</span>
sed -i <span class="hljs-string">'1a\auth required pam_google_authenticator.so'</span> /etc/pam.d/sshd
<span class="hljs-comment">#CentOS 7系统</span>
sed -i <span class="hljs-string">"/auth[ ]*substack[ ]*pass*/a\auth required pam_google_authenticator.so"</span> /etc/pam.d/sshd
<span class="hljs-comment">#Debian/Ubuntu系统</span>
echo <span class="hljs-string">'auth required pam_google_authenticator.so'</span> <span class="hljs-meta">>></span>/etc/pam.d/sshd

如果是编译安装的,还需要做一下软链接:

<span class="hljs-comment">#CentOS系统</span>
ln -fs /usr/<span class="hljs-keyword">local</span>/lib/security/pam_google_authenticator.so /lib64/security/
<span class="hljs-comment">#Debian/Ubuntu系统</span>
ln -fs /usr/<span class="hljs-keyword">local</span>/lib/security/pam_google_authenticator.so /lib/x86_64-linux-gnu/security/

3、修改SSH文件
这里可以直接使用命令:

<span class="hljs-attribute">sed</span> -i -r <span class="hljs-string">'s#(ChallengeResponseAuthentication) no#\1 yes#g'</span> /etc/ssh/sshd_config

然后同步下时间:

<span class="hljs-meta">#</span><span class="bash">查看下服务器时间</span>
date
<span class="hljs-meta">#</span><span class="bash">如果时区不一样,再使用命令修改为本地时间</span>
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

对于CentOS系统,还需要关闭SELINUX,不过并不是所有系统都是开启状态,使用命令:

<span class="hljs-comment">#使用命令查看状态</span>
<span class="hljs-attribute">getenforce</span>
<span class="hljs-comment">#如果输出disabled则为关闭,反之开启,然后使用命令关闭</span>
sed -i <span class="hljs-string">'s/SELINUX=enforcing/SELINUX=disabled/g'</span> /etc/selinux/config

最后重启SSH

<span class="hljs-meta">#</span><span class="bash">CentOS系统</span>
service sshd restart
<span class="hljs-meta">#</span><span class="bash">Debian/Ubuntu系统</span>
service ssh restart

配置好了,再登录SSH的时候,这里以Xshell为例,类型选择Keyboard Interactive方式,然后会要你输入动态验证码了。
请输入图片描述
基本上以后我们每次登录VPS的时候,不仅会要你输入密码,还会要你输入谷歌验证的动态码才能进入VPS,安全增加了不少。

赞(0)
未经允许不得转载:798VPS » Linux VPS安装Google Authenticator实现SSH登陆二次验证
分享到: 更多 (0)