Google Authenticator开源版主页 https://github.com/google/google-authenticator
安装Google Authenticator
Ubuntu通过以下命令安装:
apt-get install libpam-google-authenticator
CentOS通过以下命令安装:
yum install google-authenticator
其他系统可以通过源码编译安装
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make
make install
注意:在Debian7中执行./configure
时可能存在以下错误提示
configure: error: Unable to find the PAM library or the PAM header files
在此需要安装libpam0g-dev
和libtool
apt-get -y install libpam0g-dev libtool
设置Google Authenticator
在手机端搜索安装Google Authenticator
google-authenticator
Do you want authentication tokens to be time-based (y/n) y
然后出现二维码,使用手机端Google Authenticator扫码,接下来服务器端继续设置
如果没有出现二维码,可以将提示的以**https://www.google.com/chart?**开头的连接复制到浏览器中,就可以看到二维码了
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
接下来将Google Authenticator验证配置到SSH登录中
编辑/etc/pam.d/sshd
文件,添加下行保存
auth required pam_google_authenticator.so
编辑/etc/ssh/sshd_config
找到下行
ChallengeResponseAuthentication no
更改为
ChallengeResponseAuthentication yes
重启SSH服务
service ssh restart
再次登录的话输入用户名后就跟着提示两部验证码,然后才输入用户密码,如下:
login as: root
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 2.6.32-042stab108.8 i686)
* Documentation: https://help.ubuntu.com/
Last login: Thu Jan 28 15:04:20 2016 from 61.185.216.146
root@hkvps:~#