正常我们登陆服务器时,只需要输入账号和密码来登陆,或者说采用密钥登陆。密钥登陆的安全性相对于密码登陆来说是非常安全的,但是为了拓展多种登陆方法,我们也可以使用GoogleAuthenticator(谷歌身份验证器)来进行登陆验证,在账号和密码之间再增加一个动态验证码,只有输入正确的验证码,再输入密码才能登录。这样就增强了ssh登录的安全性。

注意:脚本仅在CentOS6&7环境中测试通过。

安装所需组件:

yum install epel-* mercurial autoconf automake libtool pam-devel -y

安装google-authenticator :

yum install google-authenticator  -y

安装完成后,我们需要进行配置:

设置PAM组件

编辑pam.d下的sshd文件,在第一行添加 保存

vi /etc/pam.d/sshd
auth required pam_google_authenticator.so

设置SSH配置文件

ChallengeResponseAuthentication no

改为

ChallengeResponseAuthentication yes

---------------------

上面的操作嫌麻烦?看下面脚本,两行代码搞定上述操作:

echo   "auth       required     pam_google_authenticator.so" >>/etc/pam.d/sshd
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config

然后重启SSH服务:

service sshd restart

重启后,可通过google-authenticator命令对当前用户创建随机密码,之后选项都选择yes即可;

生成google-authenticator配置:

google-authenticator

会出现以下提示:(看不懂请之后选项都输入y回车;)

Doyou want authentication tokens to be time-based (y/n) y

输入y后,会出现一个二维码,请通过身份验证器APP扫描添加。google-authenticator客户端下载

Your new secret key is: 3URVLB6ISMJAQxxxxxxxxxLYLE
Your verification code is 9xx447
Your emergency scratch codes are:
671418x59
18845x382
171956x32
18234x158
99713x403

注意这里的几个数字,这就是临时密码,可以通过这个来登陆服务器,记住,一个只能用一次,可登陆服务器后重新生成。

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

上面的提示可以根据自己需要来设置y或者n,如果不清楚如何选择,博主还是建议全部设置为y即可。

这样就安装好了,务必注意:xshell登陆的话,请Keyboard Interactive验证。如下图:

务必选择Keyboard Interactive方式才能进行登陆。

登陆的时候需要切换:

选择Keyboard Interactive这个选项,然后会出现以下两个窗口:

注意这两个窗口的提示,出现顺序会变化,我们根据提示信息输入相关信息即可。

题外话:务必注意服务器时间需要和本地时间一致,否则登陆认证会出现问题,一般我们都是使用国外机器,时区相差较大,请使用前请利用date查询当前时间,时间和本地不一致,请进行时间矫正:

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime