• {{ item.name }}
  • Home
  • Linux
  • Programming
    • Python
  • Life
  • Other
  • Tools
  • 投资者该如何参与优秀的区块链项目- NuLink社区圆桌会议
  • 什么是NuLink?- 项目中文社区与项目研究组成员 Rookie 对话实录
  • NuLink 融资 400 万美元用于开发隐私保护技术
  • NuLink的零知识证明介绍(1)
  • 用bitwarden_rs搭建属于自己的密码管理器
  • 修复 CentOS vps 网卡失效
  • 记录用mac给Nexus6P刷Android10的错误
  • Centos 6.8启用 TCP BBR拥塞控制算法
  • Nginx 启用HTTP2功能
  • Mac 安装adb工具
  • WordPress 默认编辑器代码按钮

CentOS ssh添加Google二次验证

  • iansiu
  • 2015-01-25
  • 0

搬瓦工买来用来翻越“墙”的vps被入侵了,应该是密码设置的太简单了,被人抓了肉鸡,在上面搭建了SMTP邮件系统,发送了大量的垃圾邮件,我不过买来用来翻翻墙,用得着这样么?后果当然是被搬瓦工官方察觉了,直接把vps停掉了,发邮件给我说下不为例。。。。。。不是我干得好吗!

所以,我现在要把vps,弄得相对安全一点,嗯,没有绝对的安全啊

关于Google 验证器的原理可以参考:http://www.zhihu.com/question/20462696/answer/18731073?utm_campaign=rss&utm_medium=rss&utm_source=rss&utm_content=title

目前客户端有:
android版:https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
iOS版:https://itunes.apple.com/cn/app/google-authenticator/id388497605

一、安装依赖

yum -y install mercurial pam-devel

二、下载、编译、安装、google authenticator

wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2 
cd libpam-google-authenticator-1.0
make && make install

三、配置

cp pam_google_authenticator.so /etc/pam.d/     ##这个一定要复制到/etc/pam.d/目录

vim /etc/pam.d/sshd                            ## 更改登陆验证文件
auth required pam_google_authenticator.so      ## 添加到第一行 

vim /etc/ssh/sshd_config                       ## 更改etc/ssh/sshd_config配置文件  

ChallengeResponseAuthentication yes 
UsePAM yes

 

配置完成之后输入命令:google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DIROR73FZN6VGPRMA
Your new secret key is: IROR78AZN6VGPRMA     ## 密匙,如果上面的二维码网址不能打开,就可以用这个
Your verification code is 066451              ## 这个不知道干嘛的
Your emergency scratch codes are:        ## 紧急验证码,如果没有带手机,这个就派上用场了。
29394833
72337263
97202244
28255132
90836618

Do you want me to update your "/root/.google_authenticator" file (y/n) y   ## 是否要更新配置文件

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y         ## 禁止同一认证多种用途

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor    ## 验证码多久改变一次 30秒
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.  ## 次数限制3次
Do you want to enable rate-limiting (y/n) y

 

© 2023 laowang's blog
Theme by Wing