Google Authenticator加强ssh安全

一、安装依赖包

软件包可以在这个地址下载：https://pan.baidu.com/s/1r0CmwbtCfNiBqU9rh_TxtA

yum -y install pam-devel
tar jxf libpam-google-authenticator-1.0-source.tar.bz2 
cd libpam-google-authenticator-1.0
make && make install

[root@chunkserver1 ~]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@chunkserver1%3Fsecret%3D4WPHQZ546UTLMBYP
Your new secret key is: 4WPHQZ546UTLMBYP
Your verification code is 856950
Your emergency scratch codes are:
37193134
39632359
18788141
32566498
89776977
#五个码用于在取不到或错的验证码有错时，用于应急用的。不过每个只能用一次，不能重复使用。
Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
#选择是否开启时间容错。如果客户端设备具有很好的同时间服务器同步功能，建议此处选择n。如果客户端设备（手机、ipad等）不具有很好的同ntp时间同步的功能，可以设为y —— 即开启时间容错。

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

　 

二、编辑文件cat /etc/pam.d/sshd 在第一行添加

auth required pam_google_authenticator.so

编辑/etc/ssh/sshd_config 文件

ChallengeResponseAuthentication no
把上面配置改成
ChallengeResponseAuthentication yes

service sshd restart重启ssh服务生效。

三、客户端安卓手机下载身份验证器工具，打开软件，手动输入账户（账户名称随便写） 密钥输入上面运行google-authenticator 生成 的此密钥4WPHQZ546UTLMBYP

四、测试：打开xshell连接，在弹出的输入密码界面选择使用键盘输入用户身份验证，然后输入手机上身份验证器生成的每60秒换一个的密钥

五、注意：服务器上要关闭selinux，否则会登录不了

1、如果命使用SecureCRT客户端登录时，需要在 连接——属性——连接——ssh2——"鉴权/authenicaion" 中将 "键盘交互/keyboard Interactive" 调到第一位。不然连接会出错。

2、以上安全配置对于ssh密钥认证方式进行的登录无效——即在pam配置中增加上面的配置后，通过密钥认证时不会要求输入验证码 。