CentOS ssh添加Google二次验证
本文最后更新于 2702 天前,其中的信息可能已经有所发展或是发生改变。

搬瓦工买来用来翻越“墙”的vps被入侵了,应该是密码设置的太简单了,被人抓了肉鸡,在上面搭建了SMTP邮件系统,发送了大量的垃圾邮件,我不过买来用来翻翻墙,用得着这样么?后果当然是被搬瓦工官方察觉了,直接把vps停掉了,发邮件给我说下不为例。。。。。。不是我干得好吗!

所以,我现在要把vps,弄得相对安全一点,嗯,没有绝对的安全啊

关于Google 验证器的原理可以参考:http://www.zhihu.com/question/20462696/answer/18731073?utm_campaign=rss&utm_medium=rss&utm_source=rss&utm_content=title

目前客户端有:
android版:https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
iOS版:https://itunes.apple.com/cn/app/google-authenticator/id388497605

一、安装依赖

yum -y install mercurial pam-devel

二、下载、编译、安装、google authenticator

wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2 
cd libpam-google-authenticator-1.0
make && make install

三、配置

cp pam_google_authenticator.so /etc/pam.d/     ##这个一定要复制到/etc/pam.d/目录

vim /etc/pam.d/sshd                            ## 更改登陆验证文件
auth required pam_google_authenticator.so      ## 添加到第一行 

vim /etc/ssh/sshd_config                       ## 更改etc/ssh/sshd_config配置文件  

ChallengeResponseAuthentication yes 
UsePAM yes

 

配置完成之后输入命令:google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DIROR73FZN6VGPRMA
Your new secret key is: IROR78AZN6VGPRMA     ## 密匙,如果上面的二维码网址不能打开,就可以用这个
Your verification code is 066451              ## 这个不知道干嘛的
Your emergency scratch codes are:        ## 紧急验证码,如果没有带手机,这个就派上用场了。
29394833
72337263
97202244
28255132
90836618

Do you want me to update your "/root/.google_authenticator" file (y/n) y   ## 是否要更新配置文件

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y         ## 禁止同一认证多种用途

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor    ## 验证码多久改变一次 30秒
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.  ## 次数限制3次
Do you want to enable rate-limiting (y/n) y

 

暂无评论

发送评论 编辑评论


|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇