通常我们直接通过ssh输入密码连接服务器,但这样很容易出现暴力破解情况,所以我们可以结合google的动态认证+ssh密码,这样能够大大的提升登陆的安全。
简单来说,就是当用户通过ssh登陆系统时,先输入google认证的随机验证码,然后在输入服务器的ssh密码。
环境准备:
操作系统:Centos7.6
关闭selinux,ebtables firewalld防火墙
配置好bash epel仓库
配置步骤:
1. 安装依赖包
[root@Web-Node1 ~]# yum -y install gcc make pam-devel libpng-devel libtool wget git
2. 安装Google Authenticator PAM插件安装
[root@Web-Node1 ~]# yum -y install gcc make pam-devel libpng-devel libtool wget git
[root@Web-Node1 ~]# git clone https://github.com/google/google-authenticator-libpam.git
[root@Web-Node1 ~]# cd google-authenticator-libpam
[root@Web-Node1 google-authenticator-libpam]# ./bootstrap.sh
[root@Web-Node1 google-authenticator-libpam]# ./configure
[root@Web-Node1 google-authenticator-libpam]# make && make install
[root@Web-Node1 google-authenticator-libpam]# cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
3. 初始配置 Google Authenticator
[root@Web-Node1 ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@Web-Node2%3Fsecret%3DB7YR4A6Z5LQE37QD
Your new secret key is: B7YR4A6Z5LQE37QD
Your verification code is 851340
Your emergency scratch codes are:
55537278
38559541
61031219
97124002
30778145
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
4.SSH调用及客户端配置,添加pam认证,在第一行添加
[root@Web-Node1 qrencode-3.4.4]# vim /etc/pam.d/sshd
auth required pam_google_authenticator.so
5.修改sshd配置,关联google认证
[root@Web-Node1 qrencode-3.4.4]# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
[root@Web-Node1 qrencode-3.4.4]# systemctl restart sshd
[root@Web-Node1 qrencode-3.4.4]# systemctl enable sshd
6.客户端通过ssh连接服务器测试
[root@Web-Node2 ~]# ssh [email protected]
Verification code:
Password:
Last login: Wed May 22 17:19:17 2019 from 192.168.1.22
需要输入动态密码,动态密码通过手机获取如下图所示
7. 查看服务端的安全日志文件,可以看到是先进程google动态密码认证
[root@Web-Node1 ~]# tail -fn0 /var/log/secure
May 23 11:50:57 Web-Node1 sshd(pam_google_authenticator)[14080]:
May 23 11:51:00 Web-Node1 sshd[14078]: Accepted keyboard-interactive/pam for root from 192.168.1.23 port 57700 ssh2
May 23 11:51:01 Web-Node1 sshd[14078]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 23 11:58:14 Web-Node1 sshd[14215]: Connection closed by 192.168.1.18 port 54006 [preauth]
8. 注意事项:
1.用password + google authenticator,如果使用公钥登录的话,会跳过google authenticator验证直接登录服务器的。
2.如果是内网测试使用,建议安装google authenticator 浏览器插件实践。如果是公网服务器建议安装手机版的Authenticator
9. 安装Google authenticator
Andorid版:“身份验证器”
iOS版:下载 “Authenticator”
chrome浏览器:使用“身份验证器”