一、介绍:什么是双因素认证
双因素身份认证就是通过你所知道再加上你所能拥有的这二个要素组合到一起才能发挥作用的身份认证系统。双因素认证是一种采用时间同步技术的系统,采用了基于时间、事件和密钥三变量而产生的一次性密码来代替传统的静态密码。每个动态密码卡都有一个唯一的密钥,该密钥同时存放在服务器端,每次认证时动态密码卡与服务器分别根据同样的密钥,同样的随机参数(时间、事件)和同样的算法计算了认证的动态密码,从而确保密码的一致性,从而实现了用户的认证。就像我们去银行办卡送的口令牌.
二、安装Google Authenticator
2.1 基本环境:
OS:Centos 7
IP :192.168.150.125
2.2 所需软件:
chrony
pam-devel
qrencode-3.4.4
libpng、libpng-devel
2.3 部署
2.3.1 安装gcc等编译器,以及需要用到的库
[root@kbsonlong ~]# yum install gcc-c++ git -y
2.3.2 安装pam 开发包
[root@kbsonlong ~]# yum install pam-devel -y
2.3.3 安装chrony 软件,因为动态口令再验证时用到了时间,所以要保持时间上的一致性。简单说下chrony:chrony 是网络时间协议的(NTP)的另一种实现,与网络时间协议后台程序(ntpd)不同,它可以更快地更准确地同步系统始终。如果要使用ntp 需要单独安装。
[root@kbsonlong ~]# yum install chrony -y [root@kbsonlong ~]# vim /etc/chrony.conf … server 2.cn.pool.ntp.org iburst
重启服务并使用命令查看同步(注:202.118.1.130就是我们上一步添加的那个ntp server)
[root@kbsonlong ~]# systemctl restart chronyd [root@kbsonlong ~]# chronyc sources 210 Number of sources = 3 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 202.118.1.130 2 6 17 54 -58us[ +132us] +/- 85ms ^+ news.neu.edu.cn 2 6 17 54 +542us[ +732us] +/- 89ms ^- dns1.synet.edu.cn 2 6 251 46 +25ms[ +25ms] +/- 60ms
如果时区不对的话,可以拷贝你当前地区所在地的时区到系统运行的时区,如下:
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
2.3.4 下载Google Authenticator源码
git clone https://github.com/google/google-authenticator-libpam.git
2.3.5 编译安装Google Authentication
[root@kbsonlong google-authenticator-libpam]# pwd /data/google-authenticator/google-authenticator-libpam [root@kbsonlong google-authenticator-libpam]# ll total 80 -rwxr-xr-x 1 root root 605 May 7 16:31 bootstrap.sh drwxr-xr-x 2 root root 4096 May 7 16:31 build -rw-r--r-- 1 root root 2081 May 7 16:31 configure.ac drwxr-xr-x 2 root root 4096 May 7 16:31 contrib -rw-r--r-- 1 root root 1452 May 7 16:31 CONTRIBUTING.md drwxr-xr-x 2 root root 4096 May 7 16:31 examples -rw-r--r-- 1 root root 2622 May 7 16:31 FILEFORMAT -rw-r--r-- 1 root root 11358 May 7 16:31 LICENSE -rw-r--r-- 1 root root 2340 May 7 16:31 Makefile.am drwxr-xr-x 2 root root 4096 May 7 16:31 man -rw-r--r-- 1 root root 7155 May 7 16:31 README.md drwxr-xr-x 2 root root 4096 May 7 16:31 src drwxr-xr-x 2 root root 4096 May 7 16:31 tests -rw-r--r-- 1 root root 9423 May 7 16:31 totp.html drwxr-xr-x 2 root root 4096 May 7 16:31 utc-time [root@kbsonlong google-authenticator-libpam]# ./bootstrap.sh libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'. libtoolize: copying file `build/ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'. libtoolize: copying file `build/libtool.m4' libtoolize: copying file `build/ltoptions.m4' libtoolize: copying file `build/ltsugar.m4' libtoolize: copying file `build/ltversion.m4' libtoolize: copying file `build/lt~obsolete.m4' configure.ac:16: installing 'build/config.guess' configure.ac:16: installing 'build/config.sub' configure.ac:13: installing 'build/install-sh' configure.ac:13: installing 'build/missing' Makefile.am: installing 'build/depcomp' parallel-tests: installing 'build/test-driver' [root@kbsonlong google-authenticator-libpam]# ./configure checking whether make supports nested variables... yes checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking whether to enable maintainer-specific portions of Makefiles... yes checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking how to print strings... printf checking for a sed that does not truncate output... /usr/bin/sed checking for fgrep... /usr/bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 1572864 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... yes checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop checking for /usr/bin/ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for dlltool... no checking how to associate runtime and link libraries... printf %s\n checking for ar... ar checking for archiver @FILE support... @ checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm -B output from gcc object... ok checking for sysroot... no checking for mt... no checking if : is a manifest tool... no checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... no checking if gcc supports -c -o file.o... yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ISO C89... (cached) none needed checking for gcc option to accept ISO C99... -std=gnu99 checking for gcc -std=gnu99 option to accept ISO Standard C... (cached) -std=gnu99 checking sys/fsuid.h usability... yes checking sys/fsuid.h presence... yes checking for sys/fsuid.h... yes checking for explicit_bzero... no checking for setfsuid... yes checking for security/pam_appl.h... yes checking for security/pam_modules.h... yes checking for pam_get_user in -lpam... yes checking whether certain PAM functions require const arguments... yes checking for library containing dlopen... -ldl checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating contrib/rpm.spec config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands google-authenticator version 1.05 Prefix.........: /usr/local Debug Build....: C Compiler.....: gcc -std=gnu99 -g -O2 Linker.........: /usr/bin/ld -m elf_x86_64 -ldl [root@kbsonlong google-authenticator-libpam]# make && make install make all-am make[1]: Entering directory `/data/google-authenticator/google-authenticator-libpam' CC src/pam_google_authenticator_la-pam_google_authenticator.lo CC src/pam_google_authenticator_la-util.lo CC src/pam_google_authenticator_la-base32.lo CC src/pam_google_authenticator_la-hmac.lo CC src/pam_google_authenticator_la-sha1.lo CCLD pam_google_authenticator.la CC src/google-authenticator.o CC src/util.o CC src/base32.o CC src/hmac.o CC src/sha1.o CCLD google-authenticator make[1]: Leaving directory `/data/google-authenticator/google-authenticator-libpam' make[1]: Entering directory `/data/google-authenticator/google-authenticator-libpam' /usr/bin/mkdir -p '/usr/local/bin' /bin/sh ./libtool --mode=install /usr/bin/install -c google-authenticator '/usr/local/bin' libtool: install: /usr/bin/install -c google-authenticator /usr/local/bin/google-authenticator /usr/bin/mkdir -p '/usr/local/share/doc/google-authenticator' /usr/bin/install -c -m 644 FILEFORMAT README.md '/usr/local/share/doc/google-authenticator' /usr/bin/mkdir -p '/usr/local/share/doc/google-authenticator' /usr/bin/install -c -m 644 totp.html '/usr/local/share/doc/google-authenticator' /usr/bin/mkdir -p '/usr/local/share/man/man1' /usr/bin/install -c -m 644 man/google-authenticator.1 '/usr/local/share/man/man1' /usr/bin/mkdir -p '/usr/local/share/man/man8' /usr/bin/install -c -m 644 man/pam_google_authenticator.8 '/usr/local/share/man/man8' /usr/bin/mkdir -p '/usr/local/lib/security' /bin/sh ./libtool --mode=install /usr/bin/install -c pam_google_authenticator.la '/usr/local/lib/security' libtool: install: /usr/bin/install -c .libs/pam_google_authenticator.so /usr/local/lib/security/pam_google_authenticator.so libtool: install: /usr/bin/install -c .libs/pam_google_authenticator.lai /usr/local/lib/security/pam_google_authenticator.la libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/go/bin:/usr/local/go/bin:/root/bin:/sbin" ldconfig -n /usr/local/lib/security ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/lib/security If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- make[1]: Leaving directory `/data/google-authenticator/google-authenticator-libpam'
2.3.6 安装二维码生成工具。这步✌也可以省略,如果不装的话,因为下一步生成的二维码就会成一个链接,到时将链接复制到你的浏览器中,也是可以出现二维码的,到时利用智能手机打开google author 进行扫描。
[root@kbsonlong google-authenticator]# wget -c http://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz --2018-05-07 16:35:22-- http://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz Resolving fukuchi.org (fukuchi.org)... 173.230.148.37 Connecting to fukuchi.org (fukuchi.org)|173.230.148.37|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz [following] --2018-05-07 16:35:23-- https://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz Connecting to fukuchi.org (fukuchi.org)|173.230.148.37|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 468788 (458K) [application/x-gzip] Saving to: ‘qrencode-3.4.4.tar.gz’ 100%[=========================================================================================================================================>] 468,788 --.-K/s in 0.05s 2018-05-07 16:35:23 (8.95 MB/s) - ‘qrencode-3.4.4.tar.gz’ saved [468788/468788] [root@kbsonlong google-authenticator]# tar zxvf qrencode-3.4.4.tar.gz qrencode-3.4.4/ qrencode-3.4.4/tests/ qrencode-3.4.4/tests/Makefile.am qrencode-3.4.4/tests/test_all.sh qrencode-3.4.4/tests/Makefile.in qrencode-3.4.4/tests/common.h qrencode-3.4.4/tests/decoder.c qrencode-3.4.4/tests/decoder.h qrencode-3.4.4/tests/create_frame_pattern.c qrencode-3.4.4/tests/create_mqr_frame_pattern.c qrencode-3.4.4/tests/prof_qrencode.c qrencode-3.4.4/tests/pthread_qrencode.c qrencode-3.4.4/tests/test_bitstream.c qrencode-3.4.4/tests/test_estimatebit.c qrencode-3.4.4/tests/test_mask.c qrencode-3.4.4/tests/test_mmask.c qrencode-3.4.4/tests/test_monkey.c qrencode-3.4.4/tests/test_mqrspec.c qrencode-3.4.4/tests/test_qrencode.c qrencode-3.4.4/tests/test_qrinput.c qrencode-3.4.4/tests/test_qrspec.c qrencode-3.4.4/tests/test_rs.c qrencode-3.4.4/tests/test_split.c qrencode-3.4.4/tests/view_qrcode.c qrencode-3.4.4/tests/frame qrencode-3.4.4/use/ qrencode-3.4.4/use/depcomp qrencode-3.4.4/use/compile qrencode-3.4.4/use/config.guess qrencode-3.4.4/use/config.rpath qrencode-3.4.4/use/config.sub qrencode-3.4.4/use/install-sh qrencode-3.4.4/use/missing qrencode-3.4.4/use/ltmain.sh qrencode-3.4.4/Makefile.in qrencode-3.4.4/Makefile.am qrencode-3.4.4/configure qrencode-3.4.4/acinclude.m4 qrencode-3.4.4/configure.ac qrencode-3.4.4/aclocal.m4 qrencode-3.4.4/config.h.in qrencode-3.4.4/libqrencode.pc.in qrencode-3.4.4/qrencode.spec.in qrencode-3.4.4/qrencode.1.in qrencode-3.4.4/qrencode.h qrencode-3.4.4/COPYING qrencode-3.4.4/ChangeLog qrencode-3.4.4/NEWS qrencode-3.4.4/README qrencode-3.4.4/TODO qrencode-3.4.4/qrencode.c qrencode-3.4.4/qrencode_inner.h qrencode-3.4.4/qrinput.c qrencode-3.4.4/qrinput.h qrencode-3.4.4/bitstream.c qrencode-3.4.4/bitstream.h qrencode-3.4.4/qrspec.c qrencode-3.4.4/qrspec.h qrencode-3.4.4/rscode.c qrencode-3.4.4/rscode.h qrencode-3.4.4/split.c qrencode-3.4.4/split.h qrencode-3.4.4/mask.c qrencode-3.4.4/mask.h qrencode-3.4.4/mqrspec.c qrencode-3.4.4/mqrspec.h qrencode-3.4.4/mmask.c qrencode-3.4.4/mmask.h qrencode-3.4.4/qrenc.c qrencode-3.4.4/autogen.sh qrencode-3.4.4/qrencode.spec qrencode-3.4.4/Doxyfile [root@kbsonlong google-authenticator]# yum install libpng libpng-devel Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.scalabledns.com * elrepo-kernel: repos.lax-noc.com * extras: mirror.linuxfix.com * remi-safe: mirrors.mediatemple.net * updates: mirror.steadfast.net Package 2:libpng-1.5.13-7.el7_2.x86_64 already installed and latest version Package 2:libpng-devel-1.5.13-7.el7_2.x86_64 already installed and latest version Nothing to do [root@kbsonlong google-authenticator]# cd qrencode-3.4.4 [root@kbsonlong qrencode-3.4.4]# ./configure checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for style of include used by make... GNU checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking whether gcc understands -c and -o together... yes checking dependency style of gcc... gcc3 checking for an ANSI C-conforming const... yes checking for inline... inline checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for ANSI C header files... yes checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ISO C89... (cached) none needed checking whether gcc understands -c and -o together... (cached) yes checking dependency style of gcc... (cached) gcc3 checking how to print strings... printf checking for a sed that does not truncate output... /usr/bin/sed checking for fgrep... /usr/bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 1572864 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... yes checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop checking for /usr/bin/ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for dlltool... no checking how to associate runtime and link libraries... printf %s\n checking for ar... ar checking for archiver @FILE support... @ checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm -B output from gcc object... ok checking for sysroot... no checking for mt... no checking if : is a manifest tool... no checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... no checking if gcc supports -c -o file.o... yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... no checking for ranlib... (cached) ranlib checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for strdup... yes checking for pthread_mutex_init in -lpthread... yes checking for png... yes checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating libqrencode.pc config.status: creating tests/Makefile config.status: creating qrencode.spec config.status: creating qrencode.1 config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands Options used to compile and link: CC = gcc CFLAGS = -Wall -g -O2 CPPFLAGS = CXX = CXXFLAGS = LDFLAGS = [root@kbsonlong qrencode-3.4.4]# make && make install make all-recursive make[1]: Entering directory `/data/google-authenticator/qrencode-3.4.4' Making all in . make[2]: Entering directory `/data/google-authenticator/qrencode-3.4.4' /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT qrencode.lo -MD -MP -MF .deps/qrencode.Tpo -c -o qrencode.lo qrencode.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT qrencode.lo -MD -MP -MF .deps/qrencode.Tpo -c qrencode.c -fPIC -DPIC -o .libs/qrencode.o mv -f .deps/qrencode.Tpo .deps/qrencode.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT qrinput.lo -MD -MP -MF .deps/qrinput.Tpo -c -o qrinput.lo qrinput.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT qrinput.lo -MD -MP -MF .deps/qrinput.Tpo -c qrinput.c -fPIC -DPIC -o .libs/qrinput.o mv -f .deps/qrinput.Tpo .deps/qrinput.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT bitstream.lo -MD -MP -MF .deps/bitstream.Tpo -c -o bitstream.lo bitstream.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT bitstream.lo -MD -MP -MF .deps/bitstream.Tpo -c bitstream.c -fPIC -DPIC -o .libs/bitstream.o mv -f .deps/bitstream.Tpo .deps/bitstream.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT qrspec.lo -MD -MP -MF .deps/qrspec.Tpo -c -o qrspec.lo qrspec.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT qrspec.lo -MD -MP -MF .deps/qrspec.Tpo -c qrspec.c -fPIC -DPIC -o .libs/qrspec.o mv -f .deps/qrspec.Tpo .deps/qrspec.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT rscode.lo -MD -MP -MF .deps/rscode.Tpo -c -o rscode.lo rscode.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT rscode.lo -MD -MP -MF .deps/rscode.Tpo -c rscode.c -fPIC -DPIC -o .libs/rscode.o mv -f .deps/rscode.Tpo .deps/rscode.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT split.lo -MD -MP -MF .deps/split.Tpo -c -o split.lo split.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT split.lo -MD -MP -MF .deps/split.Tpo -c split.c -fPIC -DPIC -o .libs/split.o mv -f .deps/split.Tpo .deps/split.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT mask.lo -MD -MP -MF .deps/mask.Tpo -c -o mask.lo mask.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT mask.lo -MD -MP -MF .deps/mask.Tpo -c mask.c -fPIC -DPIC -o .libs/mask.o mv -f .deps/mask.Tpo .deps/mask.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT mqrspec.lo -MD -MP -MF .deps/mqrspec.Tpo -c -o mqrspec.lo mqrspec.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT mqrspec.lo -MD -MP -MF .deps/mqrspec.Tpo -c mqrspec.c -fPIC -DPIC -o .libs/mqrspec.o mv -f .deps/mqrspec.Tpo .deps/mqrspec.Plo /bin/sh ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT mmask.lo -MD -MP -MF .deps/mmask.Tpo -c -o mmask.lo mmask.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -g -O2 -MT mmask.lo -MD -MP -MF .deps/mmask.Tpo -c mmask.c -fPIC -DPIC -o .libs/mmask.o mv -f .deps/mmask.Tpo .deps/mmask.Plo /bin/sh ./libtool --tag=CC --mode=link gcc -Wall -g -O2 -version-number 3:4:4 -o libqrencode.la -rpath /usr/local/lib qrencode.lo qrinput.lo bitstream.lo qrspec.lo rscode.lo split.lo mask.lo mqrspec.lo mmask.lo libtool: link: gcc -shared -fPIC -DPIC .libs/qrencode.o .libs/qrinput.o .libs/bitstream.o .libs/qrspec.o .libs/rscode.o .libs/split.o .libs/mask.o .libs/mqrspec.o .libs/mmask.o -O2 -Wl,-soname -Wl,libqrencode.so.3 -o .libs/libqrencode.so.3.4.4 libtool: link: (cd ".libs" && rm -f "libqrencode.so.3" && ln -s "libqrencode.so.3.4.4" "libqrencode.so.3") libtool: link: (cd ".libs" && rm -f "libqrencode.so" && ln -s "libqrencode.so.3.4.4" "libqrencode.so") libtool: link: ( cd ".libs" && rm -f "libqrencode.la" && ln -s "../libqrencode.la" "libqrencode.la" ) gcc -DHAVE_CONFIG_H -I. -I/usr/include/libpng15 -Wall -g -O2 -MT qrencode-qrenc.o -MD -MP -MF .deps/qrencode-qrenc.Tpo -c -o qrencode-qrenc.o `test -f 'qrenc.c' || echo './'`qrenc.c mv -f .deps/qrencode-qrenc.Tpo .deps/qrencode-qrenc.Po /bin/sh ./libtool --tag=CC --mode=link gcc -I/usr/include/libpng15 -Wall -g -O2 -o qrencode qrencode-qrenc.o libqrencode.la -lpng15 libtool: link: gcc -I/usr/include/libpng15 -Wall -g -O2 -o .libs/qrencode qrencode-qrenc.o ./.libs/libqrencode.so -lpng15 make[2]: Leaving directory `/data/google-authenticator/qrencode-3.4.4' make[1]: Leaving directory `/data/google-authenticator/qrencode-3.4.4' Making install in . make[1]: Entering directory `/data/google-authenticator/qrencode-3.4.4' make[2]: Entering directory `/data/google-authenticator/qrencode-3.4.4' /usr/bin/mkdir -p '/usr/local/lib' /bin/sh ./libtool --mode=install /usr/bin/install -c libqrencode.la '/usr/local/lib' libtool: install: /usr/bin/install -c .libs/libqrencode.so.3.4.4 /usr/local/lib/libqrencode.so.3.4.4 libtool: install: (cd /usr/local/lib && { ln -s -f libqrencode.so.3.4.4 libqrencode.so.3 || { rm -f libqrencode.so.3 && ln -s libqrencode.so.3.4.4 libqrencode.so.3; }; }) libtool: install: (cd /usr/local/lib && { ln -s -f libqrencode.so.3.4.4 libqrencode.so || { rm -f libqrencode.so && ln -s libqrencode.so.3.4.4 libqrencode.so; }; }) libtool: install: /usr/bin/install -c .libs/libqrencode.lai /usr/local/lib/libqrencode.la libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/go/bin:/usr/local/go/bin:/root/bin:/sbin" ldconfig -n /usr/local/lib ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/lib If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- /usr/bin/mkdir -p '/usr/local/bin' /bin/sh ./libtool --mode=install /usr/bin/install -c qrencode '/usr/local/bin' libtool: install: /usr/bin/install -c .libs/qrencode /usr/local/bin/qrencode /usr/bin/mkdir -p '/usr/local/include' /usr/bin/install -c -m 644 qrencode.h '/usr/local/include' /usr/bin/mkdir -p '/usr/local/share/man/man1' /usr/bin/install -c -m 644 qrencode.1 '/usr/local/share/man/man1' /usr/bin/mkdir -p '/usr/local/lib/pkgconfig' /usr/bin/install -c -m 644 libqrencode.pc '/usr/local/lib/pkgconfig' make[2]: Leaving directory `/data/google-authenticator/qrencode-3.4.4' make[1]: Leaving directory `/data/google-authenticator/qrencode-3.4.4' [root@kbsonlong qrencode-3.4.4]# google-authenticator Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@kbsonlong%3Fsecret%3DOESKRCPFBHVX4QNLJ6J65MWTR4%26issuer%3Dkbsonlong Your new secret key is: OESKRCPFBHVX4QNLJ6J65MWTR4 Your verification code is 170906 Your emergency scratch codes are: 71500218 28529324 55227626 10866708 44540819 Do you want me to update your "/root/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y [root@kbsonlong qrencode-3.4.4]# more /root/.google_authenticator OESKRCPFBHVX4QNLJ6J65MWTR4 " RATE_LIMIT 3 30 " WINDOW_SIZE 17 " DISALLOW_REUSE " TOTP_AUTH 71500218 28529324 55227626 10866708 44540819 [root@kbsonlong qrencode-3.4.4]#
三、open***、ssh配置Google Authenticator
3.1 配置ssh
[root@kbsonlong ~]# vim /etc/pam.d/sshd
auth required pam_google_authenticator.so no_increment_hotp
配置sshd服务,/etc/ssh/sshd_config,主要修改以下3个值:
[root@kbsonlong ~]# vim /etc/ssh/sshd_config ... PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes
注意:这里插一条错误记录,测试过程中出现的。
[root@kbsonlong ~]# tail -40f /var/log/secure .... May 7 16:43:01 kbsonlong sshd[33414]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory May 7 16:43:01 kbsonlong sshd[33414]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so May 7 16:43:03 kbsonlong sshd[33416]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
修改方法:创建软链接即可,必须创建,或者直接复制过去也可。
[root@kbsonlong ~]# ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
之后,重启sshd 服务
[root@kbsonlong ~]# systemctl restart sshd
测试登录
[root@kbsonlong ~]# ssh test@192.168.150.125 Verification code: Password: Last failed login: Mon May 7 17:35:55 CST 2018 from hadoop1 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Mon May 7 17:33:13 2018 [test@kbsonlong ~]$
使用xshell等工具登录需要修改登录方式
登录提示输入验证码
验证码通过后提示输入密码
3.2 配置open***
/etc/pam.d/open***
这个配置文件是真正认证 open*** 登录的配置文件,里面内容主要是以下几句:
auth required pam_google_authenticator.so nullok forward_pass debug
account required pam_unix.so
第一行的 forward_pass 参数使得一次读入 google authenticator 的密码,然后把密码扔给后续的pam处理
debug 参数完全是调试的需要,生产环境可以不用
第二行是必须的,否则 open*** 登录不上
3.3 用户初始化
因为 google authenticator 需要在每个用户的家目录里生成一个叫 .google_authenticator 的文件,里面存有密钥和几个一次性的超级认证码及其他一些配置,所以,我们需要在 open*** 服务器上做一次初始化数据的工作。假设有 10个用户要用这个系统登录 open***、ssh,用户名从 user1 到 user10,那么初始化脚本就是:
for i in {1..10} do useradd user${i} su -c \ "google-authenticator -t -f -d -w 17 -r 3 -R 30 -q" \ user${i} cat /home/user${i}/.google_authenticator | \ mail -s "your .google_authenticator is:" \ user${i}@xxx.com done
这里注意,在用户数据初始化的最后部分,将生成的 .google_authenticator 发给了每个用户自己。
四、优化
4.1 不足之处
上面的环境即使在内网还是需要二次认证;所以这个好解决,将允许本地局域网直接登录系统。
4.2 解决内网主机跳过二次认证
编辑pam.d下的sshd 文件,在第一行增加内容,主要是指定允许的主机信息文件,如下所示:
[root@kbsonlong ~]# more -2 /etc/pam.d/sshd auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-localhost.conf auth required pam_google_authenticator.so no_increment_hotp
然后在/etc/security/目录下创建access-localhost.conf文件,并添加内容如下:
[root@kbsonlong ~]# cat /etc/security/access-localhost.conf # skipped local network for google auth... + : ALL : 192.168.150.0/24 + : ALL : LOCAL - : ALL : ALL
最后,重启sshd 服务
[root@kbsonlong ~]# systemctl restart sshd
4.3 测试,内网主机登陆便直接使用密钥登陆了。
sk:~ kbsonlong$ ssh root@192.168.150.125 Password: Last login: Sun May 07 17:21:46 2018 from 192.168.150.101