OpenSSH对接Google令牌进行二次认证

#软件源码

google-authenticator-libpam-1.09.tar.gz

 

#安装依赖包
yum -y install wget gcc make pam-devel libpng-devel pam-devel

#解压google二次验证
tar -xvf google-authenticator-libpam-1.08.tar.gz

#编译安装
cd google-authenticator-libpam-1.08/
./bootstrap.sh
./configure
make
sudo make install

#拷贝模块到系统路径
cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/

google-authenticator

Do you want authentication tokens to be time-based (y/n) n

是否更新用户的 Google Authenticator 配置文件
Do you want me to update your "/root/.google_authenticator" file? (y/n) y

每次生成的认证码是否同时只允许一个人使用？这里选择 y。
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

#每次生成的令牌30s生成一次，最高允许存在误差4分钟
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

#添加pam认证使用模块
vi /etc/pam.d/sshd
auth required pam_google_authenticator.so no_increment_hotp

#调用到ssh服务
vi /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication yes

#重启ssh服务
systemctl restart sshd