通常我們直接通過ssh輸入密碼連接服務器,但這樣很容易出現暴力破解情況,所以我們可以結合google的動態認證+ssh密碼,這樣能夠大大的提升登陸的安全。
簡單來說,就是當用戶通過ssh登陸系統時,先輸入google認證的隨機驗證碼,然後在輸入服務器的ssh密碼。
環境準備:
操作系統:Centos7.6
關閉selinux,ebtables firewalld防火牆
配置好bash epel倉庫
配置步驟:
1. 安裝依賴包
[root@Web-Node1 ~]# yum -y install gcc make pam-devel libpng-devel libtool wget git
2. 安裝Google Authenticator PAM插件安裝
[root@Web-Node1 ~]# yum -y install gcc make pam-devel libpng-devel libtool wget git
[root@Web-Node1 ~]# git clone https://github.com/google/google-authenticator-libpam.git
[root@Web-Node1 ~]# cd google-authenticator-libpam
[root@Web-Node1 google-authenticator-libpam]# ./bootstrap.sh
[root@Web-Node1 google-authenticator-libpam]# ./configure
[root@Web-Node1 google-authenticator-libpam]# make && make install
[root@Web-Node1 google-authenticator-libpam]# cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
3. 初始配置 Google Authenticator
[root@Web-Node1 ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@Web-Node2%3Fsecret%3DB7YR4A6Z5LQE37QD
Your new secret key is: B7YR4A6Z5LQE37QD
Your verification code is 851340
Your emergency scratch codes are:
55537278
38559541
61031219
97124002
30778145
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
4.SSH調用及客戶端配置,添加pam認證,在第一行添加
[root@Web-Node1 qrencode-3.4.4]# vim /etc/pam.d/sshd
auth required pam_google_authenticator.so
5.修改sshd配置,關聯google認證
[root@Web-Node1 qrencode-3.4.4]# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
[root@Web-Node1 qrencode-3.4.4]# systemctl restart sshd
[root@Web-Node1 qrencode-3.4.4]# systemctl enable sshd
6.客戶端通過ssh連接服務器測試
[root@Web-Node2 ~]# ssh [email protected]
Verification code:
Password:
Last login: Wed May 22 17:19:17 2019 from 192.168.1.22
需要輸入動態密碼,動態密碼通過手機獲取如下圖所示
7. 查看服務端的安全日誌文件,可以看到是先進程google動態密碼認證
[root@Web-Node1 ~]# tail -fn0 /var/log/secure
May 23 11:50:57 Web-Node1 sshd(pam_google_authenticator)[14080]:
May 23 11:51:00 Web-Node1 sshd[14078]: Accepted keyboard-interactive/pam for root from 192.168.1.23 port 57700 ssh2
May 23 11:51:01 Web-Node1 sshd[14078]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 23 11:58:14 Web-Node1 sshd[14215]: Connection closed by 192.168.1.18 port 54006 [preauth]
8. 注意事項:
1.用password + google authenticator,如果使用公鑰登錄的話,會跳過google authenticator驗證直接登錄服務器的。
2.如果是內網測試使用,建議安裝google authenticator 瀏覽器插件實踐。如果是公網服務器建議安裝手機版的Authenticator
9. 安裝Google authenticator
Andorid版:“身份驗證器”
iOS版:下載 “Authenticator”
chrome瀏覽器:使用“身份驗證器”