使用Google Authenticator两步验证加强SSH登录
Google Authenticator开源版主页 https://github.com/google/google-authenticator 安装Google Authenticator Ubuntu通过以下命令安装: apt-get install libpam-google-authenticator CentOS通过以下命令安装: yum install google-authenticator 其他系统可以通过源码编译安装 git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/ ./bootstrap.sh ./configure make make install 注意:在Debian7中执行./configure时可能存在以下错误提示 configure: error: Unable to find the PAM library or the PAM header files 在此需要安装libpam0g-dev和libtool apt-get -y install libpam0g-dev libtool 设置Google Authenticator 在手机端搜索安装Google Authenticator google-authenticator Do you want authentication tokens to be time-based (y/n) y 然后出现二维码,使用手机端Google Authenticator扫码,接下来服务器端继续设置 如果没有出现二维码,可以将提示的以https://www.google.com/chart?开头的连接复制到浏览器中,就可以看到二维码了 Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y 接下来将Google Authenticator验证配置到SSH登录中 ...