( UTF-8 Encoding. This page contains Chinese characters.) |

本網站是"非商業"(non-commercial)。
当前位置: 主页 > Technical Information Center > Linux > linux系统管理 >

Linux 之 利用Google Authenticator实现用户双因素认证

本文发布时间: 2019-Mar-22
一、介绍:什么是双因素认证  双因素身份认证就是通过你所知道再加上你所能拥有的这二个要素组合到一起才能发挥作用的身份认证系统。双因素认证是一种采用时间同步技术的系统,采用了基于时间、事件和密钥三变量而产生的一次性密码来代替传统的静态密码。每个动态密码卡都有一个唯一的密钥,该密钥同时存放在服务器端,每次认证时动态密码卡与服务器分别根据同样的密钥,同样的随机参数(时间、事件)和同样的算法计算了认证的动态密码,从而确保密码的一致性,从而实现了用户的认证。  说白了,就像我们几年前去银行办卡送的口令牌,以及网易游戏中的将军令,在你使用网银或登陆游戏时会再让你输入动态口令的。二、产品分类  市面上有基于硬件的,也有基于软件的产品,具体可以另搜啊,本人喜欢开源的东东,并找到了Google开源的二次认证系统Google Authenticator OpenSource,可以利用智能手机生产30秒动态口令配合登陆linux系统,该验证器提供了一个六位数的一次性密码。目前ios 和Android都有客户端供于下载。三、目的  实现登陆linux 服务器时,先输入动态口令,认证成功后,在下一步输入用户密码。如果口令失败,不会进行下一步的本地密码认证。四、基础+部署步骤4.1 基本环境:  OS:Centos 7 (最小化安装)  IP :192.168.1.1254.2 所需软件:chronypam-devellibpam-google-authenticator-1.0-source.tar.bz2qrencode-3.4.4libpng、libpng-devel4.3 部署4.3.1 安装开发者工具,主要后续需要编译,这有gcc等编译器,以及需要用到的库[root@test ~]# yum groupinstall 'Development Tools' -y4.3.2 安装pam 开发包[root@test ~]# yum install pam-devel -y4.3.3 安装chrony 软件,因为动态口令利用了时间,所以要保持时间上的一致性。简单说下chrony:chrony 是网络时间协议的(NTP)的另一种实现,与网络时间协议后台程序(ntpd)不同,它可以更快地更准确地同步系统始终。如果要使用ntp 需要单独安装。下面是安装并修改chronyd的配置文件添加(大概是第6行后)锅内比较好用的ntp服务器:官网[root@test ~]# yum install chrony -y[root@test ~]# vim /etc/chrony.conf …server 2.cn.pool.ntp.org iburst重启服务并使用命令查看同步(注:202.118.1.130就是我们上一步添加的那个ntp server)[root@test ~]# systemctl restart chronyd[root@test ~]# chronyc sources210 Number of sources = 3MS Name/IP address Stratum Poll Reach LastRx Last sample===============================================================================^* 202.118.1.130 2 6 17 54 -58us[ +132us] +/- 85ms^+ news.neu.edu.cn 2 6 17 54 +542us[ +732us] +/- 89ms^- dns1.synet.edu.cn 2 6 251 46 +25ms[ +25ms] +/- 60ms4.3.4 现在去google git hub 上下载软件[root@test ~]# git clone https://github.com/google/google-authenticator.git正克隆到 'google-authenticator'...remote: Counting objects: 1415, done.remote: Total 1415 (delta 0), reused 0 (delta 0), pack-reused 1415接收对象中: 100% (1415/1415), 2.33 MiB | 86.00 KiB/s, done.处理 delta 中: 100% (741/741), done.进入刚刚git下载的目录中,进行安装[root@test ~]# cd google-authenticator/libpam/下面是编译安装[root@test libpam]# ./bootstrap.sh libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'.libtoolize: copying file `build/ltmain.sh'libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.libtoolize: copying file `build/libtool.m4'libtoolize: copying file `build/ltoptions.m4'libtoolize: copying file `build/ltsugar.m4'libtoolize: copying file `build/ltversion.m4'libtoolize: copying file `build/lt~obsolete.m4'configure.ac:11: installing 'build/config.guess'configure.ac:11: installing 'build/config.sub'configure.ac:8: installing 'build/install-sh'configure.ac:8: installing 'build/missing'Makefile.am: installing 'build/depcomp'parallel-tests: installing 'build/test-driver'[root@test libpam]# ./configure checking for gcc... gccchecking whether the C compiler works... yeschecking for C compiler default output file name... a.outchecking for suffix of executables... checking whether we are cross compiling... nochecking for suffix of object files... ochecking whether we are using the GNU C compiler... yeschecking whether gcc accepts -g... yeschecking for gcc option to accept ISO C89... none neededchecking how to run the C preprocessor... gcc -Echecking for grep that handles long lines and -e... /usr/bin/grepchecking for egrep... /usr/bin/grep -Echecking for ANSI C header files... yeschecking for sys/types.h... yeschecking for sys/stat.h... yeschecking for stdlib.h... yeschecking for string.h... yeschecking for memory.h... yeschecking for strings.h... yeschecking for inttypes.h... yeschecking for stdint.h... yeschecking for unistd.h... yeschecking minix/config.h usability... nochecking minix/config.h presence... nochecking for minix/config.h... nochecking whether it is safe to define __EXTENSIONS__... yeschecking for a BSD-compatible install... /usr/bin/install -cchecking whether build environment is sane... yeschecking for a thread-safe mkdir -p... /usr/bin/mkdir -pchecking for gawk... gawkchecking whether make sets $(MAKE)... yeschecking for style of include used by make... GNUchecking whether make supports nested variables... yeschecking dependency style of gcc... gcc3checking whether to enable maintainer-specific portions of Makefiles... yeschecking build system type... x86_64-unknown-linux-gnuchecking host system type... x86_64-unknown-linux-gnuchecking how to print strings... printfchecking for a sed that does not truncate output... /usr/bin/sedchecking for fgrep... /usr/bin/grep -Fchecking for ld used by gcc... /usr/bin/ldchecking if the linker (/usr/bin/ld) is GNU ld... yeschecking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -Bchecking the name lister (/usr/bin/nm -B) interface... BSD nmchecking whether ln -s works... yeschecking the maximum length of command line arguments... 1572864checking whether the shell understands some XSI constructs... yeschecking whether the shell understands '+='... yeschecking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noopchecking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noopchecking for /usr/bin/ld option to reload object files... -rchecking for objdump... objdumpchecking how to recognize dependent libraries... pass_allchecking for dlltool... nochecking how to associate runtime and link libraries... printf %schecking for ar... archecking for archiver @FILE support... @checking for strip... stripchecking for ranlib... ranlibchecking command to parse /usr/bin/nm -B output from gcc object... okchecking for sysroot... nochecking for mt... nochecking if : is a manifest tool... nochecking for dlfcn.h... yeschecking for objdir... .libschecking if gcc supports -fno-rtti -fno-exceptions... nochecking for gcc option to produce PIC... -fPIC -DPICchecking if gcc PIC flag -fPIC -DPIC works... yeschecking if gcc static flag -static works... nochecking if gcc supports -c -o file.o... yeschecking if gcc supports -c -o file.o... (cached) yeschecking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yeschecking whether -lc should be explicitly linked in... nochecking dynamic linker characteristics... GNU/Linux ld.sochecking how to hardcode library paths into programs... immediatechecking whether stripping libraries is possible... yeschecking if libtool supports shared libraries... yeschecking whether to build shared libraries... yeschecking whether to build static libraries... yeschecking for gcc... (cached) gccchecking whether we are using the GNU C compiler... (cached) yeschecking whether gcc accepts -g... (cached) yeschecking for gcc option to accept ISO C89... (cached) none neededchecking for gcc option to accept ISO C99... -std=gnu99checking for gcc -std=gnu99 option to accept ISO Standard C... (cached) -std=gnu99checking sys/fsuid.h usability... yeschecking sys/fsuid.h presence... yeschecking for sys/fsuid.h... yeschecking for setfsuid... yeschecking for security/pam_appl.h... yeschecking for security/pam_modules.h... yeschecking for pam_get_user in -lpam... yeschecking whether certain PAM functions require const arguments... yeschecking for library containing dlopen... -ldlchecking that generated files are newer than configure... doneconfigure: creating ./config.statusconfig.status: creating Makefileconfig.status: creating contrib/rpm.specconfig.status: creating config.hconfig.status: executing depfiles commandsconfig.status: executing libtool commands google-authenticator version 1.01 Prefix.........: /usr/local Debug Build....: C Compiler.....: gcc -std=gnu99 -g -O2 Linker.........: /usr/bin/ld -m elf_x86_64 -ldl [root@test libpam]# make && make installmake all-ammake[1]: 进入目录“/root/google-authenticator/libpam”/bin/sh ./libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-pam_google_authenticator.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-pam_google_authenticator.Tpo -c -o src/pam_google_authenticator_la-pam_google_authenticator.lo `test -f 'src/pam_google_authenticator.c' || echo './'`src/pam_google_authenticator.clibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-pam_google_authenticator.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-pam_google_authenticator.Tpo -c src/pam_google_authenticator.c -fPIC -DPIC -o src/.libs/pam_google_authenticator_la-pam_google_authenticator.olibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-pam_google_authenticator.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-pam_google_authenticator.Tpo -c src/pam_google_authenticator.c -o src/pam_google_authenticator_la-pam_google_authenticator.o >/dev/null 2>&1mv -f src/.deps/pam_google_authenticator_la-pam_google_authenticator.Tpo src/.deps/pam_google_authenticator_la-pam_google_authenticator.Plo/bin/sh ./libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-base32.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-base32.Tpo -c -o src/pam_google_authenticator_la-base32.lo `test -f 'src/base32.c' || echo './'`src/base32.clibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-base32.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-base32.Tpo -c src/base32.c -fPIC -DPIC -o src/.libs/pam_google_authenticator_la-base32.olibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-base32.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-base32.Tpo -c src/base32.c -o src/pam_google_authenticator_la-base32.o >/dev/null 2>&1mv -f src/.deps/pam_google_authenticator_la-base32.Tpo src/.deps/pam_google_authenticator_la-base32.Plo/bin/sh ./libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-hmac.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-hmac.Tpo -c -o src/pam_google_authenticator_la-hmac.lo `test -f 'src/hmac.c' || echo './'`src/hmac.clibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-hmac.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-hmac.Tpo -c src/hmac.c -fPIC -DPIC -o src/.libs/pam_google_authenticator_la-hmac.olibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-hmac.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-hmac.Tpo -c src/hmac.c -o src/pam_google_authenticator_la-hmac.o >/dev/null 2>&1mv -f src/.deps/pam_google_authenticator_la-hmac.Tpo src/.deps/pam_google_authenticator_la-hmac.Plo/bin/sh ./libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-sha1.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-sha1.Tpo -c -o src/pam_google_authenticator_la-sha1.lo `test -f 'src/sha1.c' || echo './'`src/sha1.clibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-sha1.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-sha1.Tpo -c src/sha1.c -fPIC -DPIC -o src/.libs/pam_google_authenticator_la-sha1.olibtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/pam_google_authenticator_la-sha1.lo -MD -MP -MF src/.deps/pam_google_authenticator_la-sha1.Tpo -c src/sha1.c -o src/pam_google_authenticator_la-sha1.o >/dev/null 2>&1mv -f src/.deps/pam_google_authenticator_la-sha1.Tpo src/.deps/pam_google_authenticator_la-sha1.Plo/bin/sh ./libtool --tag=CC --mode=link gcc -std=gnu99 -g -O2 -avoid-version -module -shared -export-dynamic -export-symbols-regex 'pam_sm_(setcred|open_session|authenticate)' -o pam_google_authenticator.la -rpath /usr/local/lib/security src/pam_google_authenticator_la-pam_google_authenticator.lo src/pam_google_authenticator_la-base32.lo src/pam_google_authenticator_la-hmac.lo src/pam_google_authenticator_la-sha1.lo -lpam -ldl libtool: link: /usr/bin/nm -B src/.libs/pam_google_authenticator_la-pam_google_authenticator.o src/.libs/pam_google_authenticator_la-base32.o src/.libs/pam_google_authenticator_la-hmac.o src/.libs/pam_google_authenticator_la-sha1.o | sed -n -e 's/^.*[ ]([ABCDGIRSTW][ABCDGIRSTW]*)[ ][ ]*([_A-Za-z][_A-Za-z0-9]*)$/  /p' | sed '/ __gnu_lto/d' | /usr/bin/sed 's/.* //' | sort | uniq > .libs/pam_google_authenticator.explibtool: link: /usr/bin/grep -E -e 'pam_sm_(setcred|open_session|authenticate)' '.libs/pam_google_authenticator.exp' > '.libs/pam_google_authenticator.expT'libtool: link: mv -f '.libs/pam_google_authenticator.expT' '.libs/pam_google_authenticator.exp'libtool: link: echo '{ global:' > .libs/pam_google_authenticator.verlibtool: link: cat .libs/pam_google_authenticator.exp | sed -e 's/(.*)/;/' >> .libs/pam_google_authenticator.verlibtool: link: echo 'local: *; };' >> .libs/pam_google_authenticator.verlibtool: link: gcc -shared -fPIC -DPIC src/.libs/pam_google_authenticator_la-pam_google_authenticator.o src/.libs/pam_google_authenticator_la-base32.o src/.libs/pam_google_authenticator_la-hmac.o src/.libs/pam_google_authenticator_la-sha1.o -lpam -ldl -O2 -Wl,-soname -Wl,pam_google_authenticator.so -Wl,-version-script -Wl,.libs/pam_google_authenticator.ver -o .libs/pam_google_authenticator.solibtool: link: ( cd '.libs' && rm -f 'pam_google_authenticator.la' && ln -s '../pam_google_authenticator.la' 'pam_google_authenticator.la' )depbase=`echo src/google-authenticator.o | sed 's|[^/]*$|.deps/&|;s|.o$||'`;gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/google-authenticator.o -MD -MP -MF $depbase.Tpo -c -o src/google-authenticator.o src/google-authenticator.c &&mv -f $depbase.Tpo $depbase.Podepbase=`echo src/base32.o | sed 's|[^/]*$|.deps/&|;s|.o$||'`;gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/base32.o -MD -MP -MF $depbase.Tpo -c -o src/base32.o src/base32.c &&mv -f $depbase.Tpo $depbase.Podepbase=`echo src/hmac.o | sed 's|[^/]*$|.deps/&|;s|.o$||'`;gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/hmac.o -MD -MP -MF $depbase.Tpo -c -o src/hmac.o src/hmac.c &&mv -f $depbase.Tpo $depbase.Podepbase=`echo src/sha1.o | sed 's|[^/]*$|.deps/&|;s|.o$||'`;gcc -std=gnu99 -DHAVE_CONFIG_H -I. -g -O2 -MT src/sha1.o -MD -MP -MF $depbase.Tpo -c -o src/sha1.o src/sha1.c &&mv -f $depbase.Tpo $depbase.Po/bin/sh ./libtool --tag=CC --mode=link gcc -std=gnu99 -g -O2 -o google-authenticator src/google-authenticator.o src/base32.o src/hmac.o src/sha1.o -ldl libtool: link: gcc -std=gnu99 -g -O2 -o google-authenticator src/google-authenticator.o src/base32.o src/hmac.o src/sha1.o -ldlmake[1]: 离开目录“/root/google-authenticator/libpam”make[1]: 进入目录“/root/google-authenticator/libpam” /usr/bin/mkdir -p '/usr/local/bin' /bin/sh ./libtool --mode=install /usr/bin/install -c google-authenticator '/usr/local/bin'libtool: install: /usr/bin/install -c google-authenticator /usr/local/bin/google-authenticator /usr/bin/mkdir -p '/usr/local/share/doc/google-authenticator' /usr/bin/install -c -m 644 FILEFORMAT README.md '/usr/local/share/doc/google-authenticator' /usr/bin/mkdir -p '/usr/local/share/doc/google-authenticator' /usr/bin/install -c -m 644 totp.html '/usr/local/share/doc/google-authenticator' /usr/bin/mkdir -p '/usr/local/lib/security' /bin/sh ./libtool --mode=install /usr/bin/install -c pam_google_authenticator.la '/usr/local/lib/security'libtool: install: /usr/bin/install -c .libs/pam_google_authenticator.so /usr/local/lib/security/pam_google_authenticator.solibtool: install: /usr/bin/install -c .libs/pam_google_authenticator.lai /usr/local/lib/security/pam_google_authenticator.lalibtool: finish: PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/sbin' ldconfig -n /usr/local/lib/security----------------------------------------------------------------------Libraries have been installed in: /usr/local/lib/securityIf you ever happen to want to link against installed librariesin a given directory, LIBDIR, you must either use libtool, andspecify the full pathname of the library, or use the `-LLIBDIR'flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf'See any operating system documentation about shared libraries formore information, such as the ld(1) and ld.so(8) manual pages.----------------------------------------------------------------------make[1]: 离开目录“/root/google-authenticator/libpam”安装完成后,现在我们去配置系统PAM 模块中修改sshd 支持谷歌的认证,这就要求所有用户先使用谷歌验证SSH认证。在sshd 文件的第一行,内容如下:[root@test ~]# vim /etc/pam.d/sshd auth required pam_google_authenticator.so no_increment_hotp配置sshd服务,/etc/ssh/sshd_config,主要修改以下3个值:[root@test ~]# vim /etc/ssh/sshd_config ...PasswordAuthentication yesChallengeResponseAuthentication yesUsePAM yes注意:这里插一条错误记录,测试过程中出现的。[root@test ~]# tail -40f /var/log/secure....May 21 13:43:01 test sshd[3344]: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directoryMay 21 13:43:01 test sshd[3344]: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.soMay 21 13:43:03 test sshd[3346]: pam_succeed_if(sshd:auth): requirement 'uid >= 1000' not met by user 'root'修改方法:创建软链接即可,必须创建,或者直接复制过去也可。[root@test ~]# ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so 之后,重启sshd 服务[root@test ~]# systemctl restart sshd4.3.5 安装二维码生成工具。这步?也可以省略,如果不装的话,因为下一步生成的二维码就会成一个链接,到时将链接复制到你的浏览器中,也是可以出现二维码的,到时利用智能手机打开google author 进行扫描。[root@test ~]# wget -c http://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz[root@test ~]# tar zxvf qrencode-3.4.4.tar.gz [root@test ~]# cd qrencode-3.4.4[root@test qrencode-3.4.4]# yum install libpng libpng-devel[root@test qrencode-3.4.4]# ./configure [root@test qrencode-3.4.4]# make && make install4.3.6 设置一个用户,如下操作:运行google-authenticator 命令,它将会在当前登陆用户的家目录中生成一个新的密钥()[root@test qrencode-3.4.4]# cd ~[root@test ~]# google-authenticatorDo you want authentication tokens to be time-based (y/n) yhttps://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@test%3Fsecret%3DSLZTXLFJ5KT5TWMP%26issuer%3Dtest Your new secret key is: SLZTXLFJ5KT5TWMPYour verification code is 237785Your emergency scratch codes are: 50173529 93655635 54015704 20609194 92637519Do you want me to update your '/root/.google_authenticator' file (y/n) yDo you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) yBy default, tokens are good for 30 seconds. In order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems withpoor time synchronization, you can increase the window from its defaultsize of +-1min (window size of 3) to about +-4min (window size of17 acceptable tokens).Do you want to do so? (y/n) yIf the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (y/n) y上述共需回答5个y  第1个:问你是否想做一个基于时间的令牌  第2个:是否更新你的google认证文件,由于第一次设置,所以一定选y   第3个:是否禁止口令多用,这里选择y,禁止它,以防止中间人欺骗。  第4个:默认情况,1个口令的有效期是30s,这里是为了防止主机时间和口令客户端时间不一致,设置的误差,可以选择y,也可选n,看要求严谨程度  第5个:是否打开尝试次数限制,默认情况,30s内不得超过3次登陆测试,防止别人暴力破解。并且上面这些设置将被存储在用户的?/.google_authenticator文件中,emergency scratch codes 中的5个代码是紧急代码,务必牢记,这是在你的动态口令无法使用的情况下使用的,记住,用一个失效一个。后期可以登陆上去后,重新生成!!上面的二维码如果你没有做 4.3.5 安装qrencode那一步,可以复制链接,直接粘贴到浏览器地址栏中,进行生成,此时打开手机上的Google Authenticator应用扫描二维码,操作如下图:-->>从上面的图中可以看出,认证图片已经扫描成功。并且动态口令的左下方有该机器的主机名。五、测试5.1 注销当前用户后,重新登陆六、优化6.1 不足之处  上面的环境即使在内网还是需要二次认证;  依赖网络,即该主机必须能连通谷歌服务器(一般只要保证能上外网就可以,这里没有被qiang),所以这个好解决;6.2 解决内网主机跳过二次认证编辑pam.d下的sshd 文件,在第一行增加内容,主要是指定允许的主机信息文件,如下所示:[root@test ~]# more -2 /etc/pam.d/sshd auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-localhost.confauth required pam_google_authenticator.so no_increment_hotp然后在/etc/security/目录下创建access-localhost.conf文件,并添加内容如下:[root@test ~]# cat /etc/security/access-localhost.conf# skipped local network for google auth...+ : ALL : 192.168.1.0/24+ : ALL : LOCAL- : ALL : ALL最后,重启sshd 服务[root@test ~]# systemctl restart sshd6.3 测试,内网主机登陆便直接使用密钥登陆了。lk:~ yifeng$ ssh [email protected]: Last login: Sun May 22 02:21:46 2016 from 192.168.1.1016.4 结论  从上面的部署来看,部署不是特别的难,可以说很简单吧,应用场景也可以有很多,可以用在公司内部堡垒机上,以及个人的网站、博客虚拟主机上。从而给系统加了一层保障。增强了个人服务器的安全性。本文章属于原创,如有转载还望注明出处。谢谢参考文章:https://github.com/google/google-authenticatorhttp://www.zhihu.com/question/20462696


(以上内容不代表本站观点。)
---------------------------------
本网站以及域名有仲裁协议。
本網站以及域名有仲裁協議。

2024-Mar-04 02:08pm
栏目列表
不定时随机显示的文章

本网站以及域名有仲裁协议。本網站以及域名有仲裁協議。
2024-Mar-04 02:08pm
法律代表的电邮Email: [email protected]