zoukankan      html  css  js  c++  java
  • SSH + Google Authenticator

    部署跳板机SSH + Google Authenticator验证
     
    更新和安装相关程序包
     
    apt-get update
    apt-get install libpam-google-authenticator
    vim /etc/pam.d/sshd
    
    # PAM configuration for the Secure Shell service
    auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so
    
    # Standard Un*x authentication.
    @include common-auth
    
    # Disallow non-root logins when /etc/nologin exists.
    account    required     pam_nologin.so
    
    # Uncomment and edit /etc/security/access.conf if you need to set complex
    # access limits that are hard to express in sshd_config.
    # account  required     pam_access.so
    
    # Standard Un*x authorization.
    @include common-account
    
    # SELinux needs to be the first session rule.  This ensures that any
    # lingering context has been cleared.  Without this it is possible that a
    # module could execute code in the wrong domain.
    session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
    
    # Set the loginuid process attribute.
    session    required     pam_loginuid.so
    
    # Create a new session keyring.
    session    optional     pam_keyinit.so force revoke
    
    # Standard Un*x session setup and teardown.
    @include common-session
    
    # Print the message of the day upon successful login.
    # This includes a dynamically generated part from /run/motd.dynamic
    # and a static (admin-editable) part from /etc/motd.
    session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
    session    optional     pam_motd.so # [1]
    
    # Print the status of the user's mailbox upon successful login.
    session    optional     pam_mail.so standard noenv # [1]
    
    # Set up user limits from /etc/security/limits.conf.
    session    required     pam_limits.so
    
    # Read environment variables from /etc/environment and
    # /etc/security/pam_env.conf.
    session    required     pam_env.so # [1]
    # In Debian 4.0 (etch), locale-related environment variables were moved to
    # /etc/default/locale, so read that as well.
    session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
    
    # SELinux needs to intervene at login time to ensure that the process starts
    # in the proper default security context.  Only sessions which are intended
    # to run in the user's context should be run after this.
    session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
    
    # Standard Un*x password updating.
    @include common-password
    vim /etc/ssh/sshd_config
    
    # Package generated configuration file
    # See the sshd_config(5) manpage for details
    
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 1024
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin without-password
    StrictModes yes
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys
    
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    #ChallengeResponseAuthentication no
    
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    
    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no
    
    #MaxStartups 10:30:60
    #Banner /etc/issue.net
    
    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*
    
    Subsystem sftp /usr/lib/openssh/sftp-server
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    
    UseDNS no
    PasswordAuthentication no
    
    ChallengeResponseAuthentication yes
    AuthenticationMethods publickey,keyboard-interactive
    Match User root    # ignore 2-factors
    AuthenticationMethods publickey
    /etc/init.d/ssh restart
     
     
     
     
     
     
  • 相关阅读:
    js 删除数组的某一项或者几项的方法
    JavaScript 面向对象的程序设计(一)之理解对象属性
    iview 之 穿梭框 transfer
    iview2.0 bug之+8 区的 DatePicker
    js Object.keys 用法
    js map 、filter 、forEach 、every、some 的用法
    iview tree 之如何获取已勾选的节点
    js 中常见的深拷贝的方法
    ES6新特性
    Amazon2014在线笔试 第三题
  • 原文地址:https://www.cnblogs.com/opma/p/11607337.html
Copyright © 2011-2022 走看看