- Download Google's authentication module
# wget https://google-authenticator. googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
- Install dependent packages
Yum-y install wget gcc make pam-devel libpng-devel
- Unzip and compile the installation
# tar xvf libpam-google-authenticator-1.0-source.tar.bz2
# CD libpam-google-authenticator-1.0
# make
# make Install
- Add validation mechanism
For example, if we want to add an additional layer of authentication to the account: LW, the key is generated first through Google-authenticator:
[Email protected] ~]$ Google-authenticator
Do your want authentication tokens to be time-based (y/n) y
First, you will be prompted, whether to generate tokens based on time, select Y, and then it will generate the key, as well as the state of emergency use of the verification code (there are 5, I would like to be used when the verification code is not available, note that these emergency verification code with one less of yo, so these emergency verification code must be saved, the key , the details are as follows:
Https://www.google.com/chart?chs=200x200&chld=m|0&cht=qr&chl=otpauth://totp/[email protected]% 3fsecret%3d3v7k2ono55de56sd
Your New Secret key IS:3V7K2ONO55DE56SD
Your Verification Code is 424380
Your Emergency Scratch Codes is:
96307775
87311306
56915688
84694809
27875014
You will then be prompted if you want to update the validation file, definitely updated:
Do you want me to update your "/home/jss/.google_authenticator" file (y/n) y
Tip whether to prohibit multiple logons with the same token:
Do your want to disallow multiple uses of the same authentication
Token? This restricts from one login about every 30s, but it increases
Your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, the token is only valid for 30 seconds, and the time window can be increased to a maximum of 4 minutes due to inconsistent client and server time, whether you want to do this:
By default, tokens is good for-seconds and in order-compensate for
Possible time-skew between the client and the server, we allow an extra
Token before and after the current time. If you experience problems with poor
Time synchronization, you can increase the window from its default
Size of 1:30min to about 4min. Do-Want to do so (y/n) y
Limit the number of attempts that can be attempted up to 3 times per 30 seconds:
If the computer is logging into isn ' t hardened against Brute-force
Login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Want to enable rate-limiting (y/n) y
After the key is generated, modify the configuration for SSH in Pam below and edit the/etc/pam.d/sshd file:
# vim/etc/pam.d/sshd
The first line adds:
Auth Required pam_google_authenticator.so
Then modify the SSH configuration file and edit the/etc/ssh/sshd_config file:
# Vim/etc/ssh/sshd_config
Modify Challengeresponseauthentication No to challengeresponseauthentication Yes
Then restart the SSH service:
When you use the LW user SSH login to the server, you will be prompted to enter a verification code:
[Email protected] ~]$ ssh-p52113 10.51.76.191
Verification Code:
- Mobile phone Add CAPTCHA Client
Install an app called Google Authenticator on your phone (or a piece of software called onion). Add an account to the Open app interface, and then there will be two choices: Scan the barcode (QR code), or choose the key that the output provides, either.
Where do these two messages come from? Before executing the google-authenticator command, the first output of the information, the HTTP URL, open you will find that it is a picture of the QR code, scanning can be. If the URL is not open, it doesn't matter, select the key is OK.
After the account is added, you should be able to see it generated on the phone verification code, first enter the verification code, and then enter the password, only the verification code and password are entered correctly, in order to log in normally.
- Connect to a server using tools such as CRT
1, if you use SECURECRT client login, you need to connect-------------------------ssh2--"Authentication/authenicaion" to the first bit of "keyboard interaction/keyboard Interactive". Otherwise the connection will be faulted.
2, the above security configuration for SSH key authentication method of login is invalid-that is, in the PAM configuration to add the above configuration, through the key authentication will not require the input verification code.
Google Authenticator strengthens Linux account security