Ansible 安全 之【ssh登錄二次驗(yàn)證】

本次二次認(rèn)證方式使用 Google 身份驗(yàn)證器

資源

谷歌身份驗(yàn)證器pam
https://github.com/google/google-authenticator-libpam

移動(dòng)app源碼
https://github.com/google/google-authenticator

Google 身份驗(yàn)證器商店地址
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

Google 身份驗(yàn)證器app下載地址
https://storage.evozi.com/apk/dl/16/09/05/com.google.android.apps.authenticator2.apk?h=4FgH1NXU1UokEVwXN5sVBw&t=1499507124

服務(wù)器配置

同步時(shí)間

/usr/sbin/ntpdate asia.pool.ntp.org >>/var/log/ntpdate.log

安裝依賴包

yum install pam-devel make gcc-c++ wget -y

下載谷歌身份驗(yàn)證器包

wget https://github.com/google/google-authenticator-libpam/archive/1.03.tar.gz

編譯安裝

tar zxf 1.03.tar.gz 
cd google-authenticator-libpam-1.03/
./bootstrap.sh
./configure 
make 
make install

復(fù)制google 身份驗(yàn)證器pam模塊到系統(tǒng)下

cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/

修改ssh的pam登錄模塊為pam_google_authenticator.so

# cat /etc/pam.d/sshd 
#%PAM-1.0
#auth      required pam_sepermit.so
auth       required pam_google_authenticator.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

修改ChallengeResponseAuthentication 為yes

sed -i 's#^ChallengeResponseAuthentication no#ChallengeResponseAuthentication yes#' /etc/ssh/sshd_config

生成key,手機(jī)app上添加賬戶所需要的。

./google-authenticator 

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@node1%3Fsecret%3D6GY7RPMXCVWN6HHVSSX4XM3WWssuer%3Dnode1          ## 二維碼
Your new secret key is: 6GY7RPMXCVWN6HHVSSX4XM3WWI    ## 密鑰
Your verification code is 467014
Your emergency scratch codes are:    ##后備驗(yàn)證碼保存好,永久可用。
  66339556
  56534014
  64738014
  23546970
  43468735

Do you want me to update your "/root/.google_authenticator" file? (y/n) y  ## 配置文件

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y 

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

重啟ssh服務(wù)

service sshd restart

重啟后,不要關(guān)閉當(dāng)前窗口,以免配置錯(cuò)誤出現(xiàn)登錄不了服務(wù)器。

手機(jī)端配置

本次使用安卓手機(jī),下載app并安裝。蘋果手機(jī)在蘋果商店里搜索google authenticator并安裝。

添加帳號(hào)

image.png
image.png

輸入剛才生成的key

image.png

點(diǎn)擊添加

image.png

這時(shí),點(diǎn)擊完成后,可以看到?jīng)]美30秒一次變換的驗(yàn)證碼

image.png

ssh命令登錄

[root@master ~]# ssh 192.168.77.129
Verification code:                                   # 先輸入app上的驗(yàn)證碼
Password:                                                # 在輸入root密碼
Last login: Sat Jul  8 15:55:59 2017 from 192.168.77.1
[root@node1 ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:7D:D4:7A  
          inet addr:192.168.77.129  Bcast:192.168.77.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe7d:d47a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:275309 errors:0 dropped:0 overruns:0 frame:0
          TX packets:165531 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:298600746 (284.7 MiB)  TX bytes:24281004 (23.1 MiB)

xshell客戶端登錄

設(shè)置登陸方法為Keyboard Interactive

image.png

先輸入谷歌驗(yàn)證碼

!](http://upload-images.jianshu.io/upload_images/3629406-fa7479e63a30209c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

在輸入root密碼

image.png

成功登錄

image.png
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • Android 自定義View的各種姿勢(shì)1 Activity的顯示之ViewRootImpl詳解 Activity...
    passiontim閱讀 178,781評(píng)論 25 709
  • Spring Cloud為開發(fā)人員提供了快速構(gòu)建分布式系統(tǒng)中一些常見模式的工具(例如配置管理,服務(wù)發(fā)現(xiàn),斷路器,智...
    卡卡羅2017閱讀 136,506評(píng)論 19 139
  • 在漫漫歷史長(zhǎng)河中,足球給我們帶來了太多的快樂與喜悅,但同樣也給我們帶來了一些痛苦和難忘的回憶。北京時(shí)間11...
    伊菡聊球閱讀 418評(píng)論 0 1
  • 前天,我剛從考場(chǎng)出來就收到了我閨蜜發(fā)來的微信,她說:她的男朋友在未來的計(jì)劃的沒有她,而且他說家人最重要,他的未來也...
    歐陽雨軒閱讀 360評(píng)論 0 2
  • c與php閱讀 143評(píng)論 0 0

友情鏈接更多精彩內(nèi)容