使用Google Authenticator两步验证加强SSH登录

Google Authenticator开源版主页 https://github.com/google/google-authenticator

安装Google Authenticator

Ubuntu已经包含libpam-google-authenticator软件(Ubuntu 11.10以上版本),可以直接使用apt-get安装

apt-get install libpam-google-authenticator

其他系统可以通过源码编译安装

git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

注意:在Debian7中执行./configure时可能存在以下错误提示

configure: error: Unable to find the PAM library or the PAM header files

在此需要安装libpam0g-devlibtool

apt-get -y install libpam0g-dev libtool

设置Google Authenticator

在手机端搜索安装Google Authenticator

google-authenticator
Do you want authentication tokens to be time-based (y/n) y

然后出现二维码,使用手机端Google Authenticator扫码,接下来服务器端继续设置

如果没有出现二维码,可以将提示的以https://www.google.com/chart?开头的连接复制到浏览器中,就可以看到二维码了

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

接下来将Google Authenticator验证配置到SSH登录中

编辑/etc/pam.d/sshd文件,添加下行保存

auth required pam_google_authenticator.so

编辑/etc/ssh/sshd_config找到下行

ChallengeResponseAuthentication no

更改为

ChallengeResponseAuthentication yes

重启SSH服务

service ssh restart

再次登录的话输入用户名后就跟着提示两部验证码,然后才输入用户密码,如下:

login as: root
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 2.6.32-042stab108.8 i686)

* Documentation:  https://help.ubuntu.com/
Last login: Thu Jan 28 15:04:20 2016 from 61.185.216.146
root@hkvps:~#

参考 https://wzyboy.im/post/765.html