双重认证
GoogleAuthenticator介绍
通常我们直接通过ssh输入密码连接服务器,但这样很容易出现暴力破解情况,所以我们可以结合google的动态认证+ssh密码,这样能够大大的提升登陆的安全。简单来说,就是当用户通过ssh登陆系统时,先输入google的随机验证码,然后在输入服务器的ssh密码
## giltab jumpserver 服务器 zabbix 。。。。
部署Google Authenticator
# 安装依赖
yum -y install pam-devel libpng-devel autoconf automake libtool
# 下载代码
### 国内源
wget http://test.driverzeng.com/other/1.04.tar.gz
### 国外源
wget https://github.com/google/google-authenticator-libpam/archive/1.04.tar.gz
# 解压代码
[root@web02 ~]# tar xf 1.04.tar.gz
# 进入工作目录
[root@web02 ~]# cd google-authenticator-libpam-1.04/
# 构建
./bootstrap.sh
# 生成
./configure
# 编译安装
make && make install
# 验证插件是否安装
ll /usr/local/lib/security/
total 136
-rwxr-xr-x 1 root root 1021 May 21 08:59 pam_google_authenticator.la
-rwxr-xr-x 1 root root 133552 May 21 08:59 pam_google_authenticator.so
# 将安装好的软件拷贝到系统库
cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/
生成Google认证识别
## 执行命令--google-authenticator
Do you want authentication tokens to be time-based (y/n) y # 输入y!
Do you want me to update your "/root/.google_authenticator" file? (y/n) y # 输入y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y # 输入y
Do you want to do so? (y/n) y # 输入y
Do you want to enable rate-limiting? (y/n) y # 输入y
##是否更新用户的 Google Authenticator 配置文件,选择 y 才能使上面操作对当前 root 用户生效,其实就是在对应用户的 Home 目录下生成了一个 .google_authenticator 文件,如果你想停用这个用户的Google Authenticator 验证,只需要删除这个用户 Home 目录下的 .google_authenticator 文件就可以了。
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
#每次生成的认证码是否同时只允许一个人使用?这里选择 y。
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
#每次生成的令牌30s生成一次,最高允许存在误差4分钟。
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
将Google 2FA加入ssh
# 编辑配置文件
vim /etc/pam.d/sshd
#%PAM-1.0
auth required pam_google_authenticator.so
## #%PAM-1.0 是一个注释,通常表示文件遵循的 PAM 版本。
## auth required pam_google_authenticator.so 这一行指定了一个 PAM 认证模块,要求在 SSH 登录时必须通过 Google Authenticator 提供的一次性密码(OTP)进行认证。
修改ssh配置服务 关联google认证
# 编辑配置文件
vim /etc/ssh/sshd_config
:69 ------ 第69行
# 将no 改为 yes
ChallengeResponseAuthentication no -----> yes
# 重启ssh服务
systemctl restart sshd
##在 SSH 配置文件 /etc/ssh/sshd_config 中,将 ChallengeResponseAuthentication 选项从 no 改为 yes 意味着启用了挑战响应认证。这通常是双因素认证的一部分,如 PAM (Pluggable Authentication Modules) 或 Google Authenticator。
验证谷歌双向认证
# 使用机器的远程连接
[root@web01 ~]# ssh [email protected]
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:086q8NqRUTkXtvcfy0QckL5pD2RrVUo9qCu6lum+8gI.
ECDSA key fingerprint is MD5:81:cc:e8:88:ad:35:53:7d:07:22:9c:44:2a:6a:a2:2e.
xshell如何验证
# 第一次连接的交互 是否连接 输入yes
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
# 输入google认证的随机码
Verification code:
# 输入root用户的密码
Password:
Last failed login: Tue May 21 09:59:30 CST 2024 from 10.0.0.1 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Tue May 21 09:52:10 2024 from 10.0.0.1
# 成功登录
[root@web02 ~]#