Linux 利用Google Authenticator实现ssh登录双因素认证

[root@localhost ~]# yum install -y chrony
[root@localhost ~]# vim /etc/chrony.conf
server 0.cn.pool.ntp.org
server 1.cn.pool.ntp.org
server 2.cn.pool.ntp.org
server 3.cn.pool.ntp.org

[root@localhost ~]# systemctl restart chronyd
[root@localhost ~]# chronyc sources

[root@localhost ~]# yum install -y git automake libtool pam-devel
[root@localhost ~]# git clone https://github.com/google/google-authenticator-libpam.git
[root@localhost ~]# cd google-authenticator-libpam/
[root@localhost google-authenticator-libpam]# ./bootstrap.sh
[root@localhost google-authenticator-libpam]# ./configure
[root@localhost google-authenticator-libpam]# make && make install
[root@localhost google-authenticator-libpam]# google-authenticator
[root@localhost google-authenticator-libpam]# cd ~
# 修改配置文件
[root@localhost ~]# vim /etc/pam.d/sshd
auth       required     pam_google_authenticator.so no_increment_hotp

[root@localhost ~]# vim /etc/ssh/sshd_config
asswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

# 重启ssh服务
[root@localhost ~]# systemctl restart sshd 
# 生成令牌
[root@localhost ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
#你想做的认证令牌是基于时间的吗？
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DN4HLEJOQHT27VCR6RX66WXB2SY%26issuer%3Dlocalhost.localdomain

[这里会有一个很大的二维码]

Your new secret key is: N4HLEJOQHT27VCR6RX66WXB2SY
#这个key就是加密串，如果你有多个设备，需要把这个保存下，方便以后添加认证设备
Your verification code is 299695
#输入手机上Google Authenticator的code 
Your emergency scratch codes are:
#下面这些key是紧急安全码，假如你的手机丢了，紧急登录用的。

  44477086
  92790948
  29251218
  26350870
  30696065

Do you want me to update your "/root/.google_authenticator" file? (y/n) y
#你希望我更新你的“/root/.google_authenticator”文件吗(y/n)？
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
#你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒， 但是这加大了发现或甚至防止中间人攻击的可能性(y/n)?
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
#默认情况下，令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞，
我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题， 可以增加窗口从默认的3个可通过验证码增加到17个可通过验证码，
这将允许客户机与服务器之间的时差增加到4分钟。你希望这么做吗(y/n)?
If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
#如果你登录的那台计算机没有经过固化，以防范运用蛮力的登录企图，可以对验证模块
启用尝试次数限制。默认情况下，这限制攻击者每30秒试图登录的次数只有3次。 你希望启用尝试次数限制吗(y/n)?

[root@localhost ~]# tail -n10 /var/log/secure

...
Dec 31 09:42:46 localhost sshd[2393]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
Dec 31 09:42:46 localhost sshd[2393]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
...

[root@localhost ~]# ln -sv /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
"/usr/lib64/security/pam_google_authenticator.so" -> "/usr/local/lib/security/pam_google_authenticator.so"