当前位置：首页 > news >正文

[svc]ssh+gg二步认证

news 来源：原创 2024/4/26 0:44:11

1,安装依赖

yum install python-pip -y
pip install docutils 
yum install gcc python-devel subversion pam pam-devel  -y

2,下载git包

cd /home/lanny/tools/
unzip google-authenticator-master.zip 
cd google-authenticator-master
cd libpam/
./bootstrap.sh 
./configure 
make
make install

3,配置文件

ll /lib64/security
google-authenticator，则复制到/usr/local/bin
ll /usr/local/bin/google-authenticator

#pl2pm /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn

4,为root用户生成google验证码

[root@vpnserver ~]# google-authenticator 
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@vpnserver%3Fsecret%3D7ZSEKQI6W7GJXDDBEBJJINHY3Q%26issuer%3Dvpnserver
Your new secret key is: 7ZSEKQI6W7GJXDDBEBJJINHY3Q
Your verification code is 496552
Your emergency scratch codes are:
  70752164
  63976717
  73442435
  67261408
  95454901

修改pam.d
[root@vpnserver pam.d]# cat /etc/pam.d/sshd 
#%PAM-1.0
auth       required     pam_google_authenticator.so <---追加
auth       required pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth


=================================================
修改ssh配置:

vim /etc/ssh/sshd_config
 83 ChallengeResponseAuthentication yes

测试:手机下载google身份验证器,登陆(root用户哦)

====================================================
为jss生成:
jss 密码 sss
===============
[jss@vpnserver ~]$ google-authenticator 
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/jss@vpnserver%3Fsecret%3DLNS6P7ONML6LCOFPKXW4OFWYS4%26issuer%3Dvpnserver
Your new secret key is: LNS6P7ONML6LCOFPKXW4OFWYS4
Your verification code is 755883
Your emergency scratch codes are:
  41886633
  49746589
  44517353
  13151010
  41992403
=========================
注意:
1.如果无法登陆
cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
2,
Google身份验证器每隔三十秒就会变的。这就实现了动态验证码的功能。
3,5个紧急验证码,用一个少一个.

4,
默认情况下，令牌只在30秒内有效，由于客户端和服务器时间不完全一致的因素，可以将时间窗口加大到最长4分钟
5,是否限制尝试次数，每30秒只能尝试最多3次：
6, google-authenticator针对单用户

参考

回滚为初始ssh状态

[root@vpnserver ~]# cat /etc/pam.d/ssh
cat: /etc/pam.d/ssh: No such file or directory
[root@vpnserver ~]# cat /etc/pam.d/sshd 
#%PAM-1.0
#auth       required     pam_google_authenticator.so # 注释掉即可