Linux 利用Google Authenticator实现ssh登录双因素认证

前些天因为工作需要在阿里云弄了一批VPC机器,刚开始是每个人都给了账号密码让其登录控制,又因为各种问题,收回了权限。 为了控制登录权限,所以启动了跳板机 ( http://www.jumpserver.org/ ) 后来又一个开发开始质疑,VPC其他的机器你可以防火墙禁止外界登录,那你跳板机最该要开一个ssh吧?如果这个机器的账号密码被知道了,那不是GG了 好吧,我就想到了这个坑办法。OTP,一次性密码~ 目的让登录的时不仅需要linux的账号密码,还需要一个动态的口令。

安装这个的原因是因为Google的OTP算法其中有一个因素是时间,因此我们一定要保证时间的正确性

1
2
3
4
5
6
7
8
9
[root@localhost ~]# yum install -y chrony
[root@localhost ~]# vim /etc/chrony.conf
server 0.cn.pool.ntp.org
server 1.cn.pool.ntp.org
server 2.cn.pool.ntp.org
server 3.cn.pool.ntp.org

[root@localhost ~]# systemctl restart chronyd
[root@localhost ~]# chronyc sources
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
[root@localhost ~]# yum install -y git automake libtool pam-devel
[root@localhost ~]# git clone https://github.com/google/google-authenticator-libpam.git
[root@localhost ~]# cd google-authenticator-libpam/
[root@localhost google-authenticator-libpam]# ./bootstrap.sh
[root@localhost google-authenticator-libpam]# ./configure
[root@localhost google-authenticator-libpam]# make && make install
[root@localhost google-authenticator-libpam]# google-authenticator
[root@localhost google-authenticator-libpam]# cd ~
# 修改配置文件
[root@localhost ~]# vim /etc/pam.d/sshd
auth       required     pam_google_authenticator.so no_increment_hotp

[root@localhost ~]# vim /etc/ssh/sshd_config
asswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

# 重启ssh服务
[root@localhost ~]# systemctl restart sshd 
# 生成令牌
[root@localhost ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
#你想做的认证令牌是基于时间的吗?
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DN4HLEJOQHT27VCR6RX66WXB2SY%26issuer%3Dlocalhost.localdomain

[这里会有一个很大的二维码]

Your new secret key is: N4HLEJOQHT27VCR6RX66WXB2SY
#这个key就是加密串,如果你有多个设备,需要把这个保存下,方便以后添加认证设备
Your verification code is 299695
#输入手机上Google Authenticator的code 
Your emergency scratch codes are:
#下面这些key是紧急安全码,假如你的手机丢了,紧急登录用的。

  44477086
  92790948
  29251218
  26350870
  30696065

Do you want me to update your "/root/.google_authenticator" file? (y/n) y
#你希望我更新你的“/root/.google_authenticator”文件吗(y/n)?
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
#你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒, 但是这加大了发现或甚至防止中间人攻击的可能性(y/n)?
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
#默认情况下,令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞,
我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题, 可以增加窗口从默认的3个可通过验证码增加到17个可通过验证码,
这将允许客户机与服务器之间的时差增加到4分钟。你希望这么做吗(y/n)?
If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
#如果你登录的那台计算机没有经过固化,以防范运用蛮力的登录企图,可以对验证模块
启用尝试次数限制。默认情况下,这限制攻击者每30秒试图登录的次数只有3次。 你希望启用尝试次数限制吗(y/n)?

注意,第一次登录可能会出现登录失败的情况,查看日志信息显示错误如下:

1
2
3
4
5
6
7
8
9
[root@localhost ~]# tail -n10 /var/log/secure

...
Dec 31 09:42:46 localhost sshd[2393]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
Dec 31 09:42:46 localhost sshd[2393]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so
...

[root@localhost ~]# ln -sv /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
"/usr/lib64/security/pam_google_authenticator.so" -> "/usr/local/lib/security/pam_google_authenticator.so"

一定要将这个放在第一个!