设为「星标」,每天带你玩转 Linux
在信息时代linux认证,服务器安全愈发成为首要任务。Linux主机通过ssh方式连接,当存在弱密码的情况下,通过暴力破解的方式会很容易就被攻破了,本文将向你展示如何通过 这一强大的双因素认证工具,当你ssh登录主机输入用户密码后,还需要通过手机客户端输入动态验证码才能正常登录,通过真实案例教你配置。赶快转发给你的小伙伴用起来
同步linux时钟,默认动态验证码在30秒内有效linux认证,由于客户端和服务器可能会存在时间差,建议先同步时钟,防止和手机时间存在时间差导致无法登录
[root@knode1 ~]# ntpdate pool.ntp.org
5 Dec 23:00:32 ntpdate[6583]: step time server 84.16.73.33 offset -9.050575 sec本文使用系统实验,在终端执行以下命令,为你的Linux系统安装 插件
yum -y install epel-release # CentOS/RHEL
sudo yum install google-authenticator # CentOS/RHEL 编辑SSH配置文件
sudo vi /etc/ssh/sshd_config确保以下行被设置为 yes
ChallengeResponseAuthentication yes
UsePAM yes保存并退出
执行以下命令初始配置,为指定用户启动 的配置
[root@knode1 ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@knode1%3Fsecret%3D55624OUOSZPCU5XZP64KSX2BKE%26issuer%3Dknode1
Your new secret key is: 55624OUOSZPCU5XZP64KSX2BKE #google身份验证上添加的key
Your verification code is 340500
Your emergency scratch codes are:
41836466
27541454
93396333
53788584
26617777
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app. #默认30s过期
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y根据提示回答问题,最终将生成一个二维码和一组备用验证码,记住上面的key,当然也可以使用身份验证扫码添加
编辑PAM配置文件,引入 模块vi编辑/etc/pam.d/sshd配置,在文件末尾添加以下行
auth required pam_google_authenticator.so保存并退出
限时特惠:本站持续每日更新海量各大内部创业课程,一年会员仅需要98元,全站资源免费下载
点击查看详情
站长微信:Jiucxh声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。相关文章
