ubuntu利用google模块实现ssh双因子验证

腾讯云服务器ubuntu2004


#先看看有没有google-authenicator包 
ubuntu@2004  ~]$ apt search google-authenticator
Sorting... Done
Full Text Search... Done
libpam-google-authenticator/focal,now 20170702-2 amd64 [installed]
  Two-step verification
#
ubuntu@2004  ~]$ apt info libpam-google-authenticator
Package: libpam-google-authenticator
Version: 20170702-2
Priority: optional
Section: universe/admin
Source: google-authenticator
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Original-Maintainer: Janos Lenart 
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 123 kB
Depends: libc6 (>= 2.14), libpam0g (>= 0.99.7.1), libqrencode4
Homepage: https://github.com/google/google-authenticator/
Download-Size: 33.7 kB
APT-Manual-Installed: yes
APT-Sources: http://mirrors.tencentyun.com/ubuntu focal/universe amd64 Packages
Description: Two-step verification
 The Google Authenticator project includes implementations of one-time
 passcode generators for several mobile platforms, as well as a
 pluggable authentication module (PAM). One-time passcodes are generated
 using open standards developed by the Initiative for Open
 Authentication (OATH) (which is unrelated to OAuth).
 .
 These implementations support the HMAC-Based One-time Password (HOTP)
 algorithm specified in RFC 4226 and the Time-based One-time Password
 (TOTP) algorithm currently in draft.

#这个包在centos中是来自于epel源的如果是centos则需要安装epel源
#yum -y install epel-release.noarch
#yum makecache
#yum install -y google-authenticator.x86_64

#安装
ubuntu@2004  ~]$ sudo apt -y install libpam-google-authenticator
#/etc/pam.d/sshd文件,修改或添加下行保存
#auth required pam_google_authenticator.so
sed -i '1a\auth       required     pam_google_authenticator.so' /etc/pam.d/sshd
#编辑/etc/ssh/sshd_config找到下行
#ChallengeResponseAuthentication no
#更改为
#ChallengeResponseAuthentication yes
sed -i 's/.*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config

  1. 在手机应用市场搜索:身份验证器(安卓)或authenticator(苹果),并安装APP
  2. 运行脚本(需要联网EPEL源),本质是修改了/etc/pam.d/sshd文件,将google的PAM模块加入进去实现
#启动google-authenticator
ubuntu@2004  ~]$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ubuntu@2004%3Fsecret%3DW5PC3JG4RE5Y7LRKIQ4B2JFZSY%26issuer%3D2004
#上面这个http连接可以打开看到二维码 需要翻墙

运行后会出现二维码,然后打开手机下载的authenticator软件,扫描二维码,绑定手机与服务器的关系。
下面出现的5个8位数的码 相当于紧急救援码,需要保存起来。这几个码其实保存在/root/.google_authenticator里面,你也可以自己修改比如加个66666666


ubuntu@2004  ~]$ cat .google_authenticator
W5PC3JG4RE5Y7LRKIQ4B2JFZSY
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
17485342
35897552
92463368
57258945
20707299
66666666  

这里打开手机 google app,扫描二维码进行绑定,绑定成功出现下面图片


image.png
#重启sshd服务
service sshd restart
#mac登录服务器验证 我这里是centos8虚拟机 服务器同理
bogon:~ wangxw$ ssh [email protected]
Verification code:    #这里输入app的临时码 进行二次验证 也可以输入刚才/root/.google_authenticator的紧急救援码 不过时一次性的。
Password:  #输入服务器密码
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Dec 29 16:42:39 2020 from 10.0.0.1
root@8  ~]#

你可能感兴趣的:(ubuntu利用google模块实现ssh双因子验证)