centos6.5使用Google auth进行双因子认证
阿里云相关链接
https://www.aliyun.com/product/ecs?source=5176.11533457&userCode=kv73ipbs&type=copy
1、环境
系统:centos6.5 x86_64
[root@uu ~]# uname -a
Linux uu 2.6.32-642.el6.x86_64 #1 SMP Wed Apr 13 00:51:26 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
要求:
时间同步
关闭SELinux
2、安装
升级git
1.7.1版本过低,现在github不支持1.7.1的git 客户端的下载了,只有从网上下载高一点的版本,并安装。
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel -y
yum install gcc perl-ExtUtils-MakeMaker -y
yum remove git -y
yum update -y nss curl libcurl cd /usr/src
wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz
wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz --no-check-certificate
tar xzf git-2.1..tar.gz
cd git-2.1.
make prefix=/usr/local/git all
make prefix=/usr/local/git install
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc
source /etc/bashrc #配置git不认证https
git config --global http.sslVerify false
3、安装Google auth
yum install -y git automake libtool pam-devel -y
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make && make install cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
4、安装认证二维码
这一步可不做,没有图形二维码就手动输入程序给出的密钥。
yum install -y git qrencode
5、配置ssh服务
5.1、修改/etc/pam.d/sshd
在/etc/pam.d/sshd里添加下面这条【#放在auth include password-auth之前】
vim /etc/pam.d/sshd
auth required pam_google_authenticator.so no_increment_hotp
5.2、修改/etc/ssh/sshd_config
vim /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
/etc/init.d/sshd restart
6、配置Google auth
google-authenticator
6.1、添加主机
有2种方式:
输入“y”后,会有一个二维码
1、用手机谷歌验证器扫描这个二维码即可添加主机。
2、手动输入二维码下面的密钥添加。
然后剩下的会出现5个问题,根据提示全部选“y”即可。
6.2、客户端
我的是华为手机,贴一下华为应用市场的链接
http://a.vmall.com/uowap/index.html#/detailApp/C63790
APP在应用市场搜索谷歌认证器。
可根据需要添加多个客户端。
7、登录
输入手机动态口令
输入登录用户的密码
8、说明
[root@uu ~]# google-authenticator Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@uu%3Fsecret%3DJQPBXCQ5UJEARJDKW56QG7PX5M%26issuer%3Duu
Your new secret key is: JQPBXCQ5UJEARJDKW56QG7PX5M
Enter code from app (-1 to skip): 441989
Code confirmed
Your emergency scratch codes are:
15017326
13268423
41466235
66165819
90381302
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
上述共需回答5个y
第1个:问你是否想做一个基于时间的令牌
第2个:是否更新你的google认证文件,由于第一次设置,所以一定选y
第3个:是否禁止口令多用,这里选择y,禁止它,以防止中间人欺骗。
第4个:默认情况,1个口令的有效期是30s,这里是为了防止主机时间和口令客户端时间不一致,设置的误差,可以选择y,也可选n,看要求严谨程度
第5个:是否打开尝试次数限制,默认情况,30s内不得超过3次登陆测试,防止别人暴力破解。
并且上面这些设置将被存储在用户的〜/.google_authenticator文件中,emergency scratch codes 中的5个代码是紧急代码,务必牢记,这是在你的动态口令无法使用的情况下使用的,记住,用一个失效一个。后期可以登陆上去后,重新生成!!
最新文章
- Azure AD Connect 手动同步
- Nginx配置性能优化
- JavaScript中的枚举
- maven清除不同版本的重复依赖
- 不停止MySQL服务的情况下修改root的密码
- CV界的明星人物们
- Helixoft VSdocman 是一个集成于Visual Studio并提供了命令行版本的帮助文档编译工具
- rhel7网络管理
- 学习manacher(最长公共回文串算法)
- Android中设置文本颜色的三种方法
- JQuery 图片延迟加载并等比缩放插件
- LINUX编程学习笔记(十三) 遍历目录的两种方法
- javascript之事件监听
- springboot情操陶冶-web配置(一)
- SpringCloud笔记一:扫盲
- python 名称前的单下划线
- 计算机基础:计算机网络-socket编程
- 【PAT】B1043 输出PATest(20 分)
- python之join
- 每日英语:A Chinese Soccer Club Has Won Something!