安装google-authenticator实现动态密码
1、依赖包安装:
yum -y install mercurial pam-devel
2、安装Google Authenticator:
git clone https://code.google.com/p/google-authenticator/ cd google-authenticator/google-authenticator/libpam make && make install
[ libpam]# make install cp pam_google_authenticator.so /lib64/security cp google-authenticator /usr/local/bin
3、编辑ssh相关配置文件(认证等)
SSH登录时调用google-authenticator模块,编辑添加如下内容:
vi /etc/pam.d/sshd
auth required pam_google_authenticator.so
修改SSH配置文件:
vim /etc/ssh/sshd_config
添加或修改以下内容:
ChallengeResponseAuthentication yes
UsePAM yes
/etc/init.d/sshd restart
4、然后使用Google-authenticator命令创建随机密码,操作如下(默认都是y):
[root@clone2 libpam]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@clone2%3Fsecret%3DZSQBUSM3WEXZDQRR
Your new secret key is: ZSQBUSM3WEXZDQRR
Your verification code is 198178
Your emergency scratch codes are:
16050151
22929943
74444984
23544107
20880478
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
· 其中,
· https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@clone2%3Fsecret%
· 上述链接可以直接用手机客户端扫描,进行配置。
然后就可以在手机上安装google-authenticator客户端,通过输入私钥即可实时显示密码
以后再远程登录的时候就会弹出验证码,而要输入客户端上实时产生的动态验证码才能进行登录;
§ 注释:终端登录的时候secureCRT或者xshell不要用password方式直接登录,应选择==键盘交互==鉴权方式登录