CentOS7.6 使用Google身份验证器实现两次认证
系统4年前 (2019-03-26)
CentOS7.6 安装Google Authenticator身份验证器,使用手机上生成两步验证码进行登录
安装验证器
yum install -y epel-release yum install -y pam-devel google-authenticator
配置验证器
google-authenticator
第一步
是否希望身份验证令牌基于时间 选y
是否希望升级验证文件 选y
Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@instance-1%3Fsecret%3DXXHW2ZDPU46LQMUQSZKEQLICU4%26issuer%3Dinstance-1 our new secret key is: XXHW2ZDPU46LQMUQSZKEQLICU4 Your verification code is 901904 Your emergency scratch codes are: 68846222 58756444 45247779 46186145 10007414 Do you want me to update your "/root/.google_authenticator" file? (y/n) y
第二步
是否禁止多次使用同一身份验证令牌 选y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
第三步
是否消除时间误差 选y
By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y
第四步
是否要限制登录间隔时间 选y
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
配置pam
vim /etc/pam.d/sshd 添加 auth required pam_google_authenticator.so
配置ssh
vim /etc/ssh/sshd_config 将ChallengeResponseAuthentication no 改为ChallengeResponseAuthentication yes
重启ssh服务
systemctl restart sshd
将SecureCRT中认证方式的键盘交互置顶为第一验证方式
输入google手机验证器中的验证码
输入root用户密码
登录成功
本站所有文章均可随意转载,转载时请保留原文链接及作者。
,想必也是非常愉悦的事!
