Google Authenticator in CentOS configures the dynamic verification code for SSH login

Source: Internet
Author: User
Tags bz2 ssh centos mercurial

Note:

1. Generally, you only need to enter the account and password to log on to the server through ssh.

2. Purpose of this tutorial: add a verification code between the account and password. You can log on only after entering the correct verification code and the password. This enhances the security of ssh logon.
3. Logon fails even if the account, verification code, and password are missing.
4. Verification code: it is a dynamic verification code that is automatically obtained through the mobile client (the default value is once every 30 seconds ).
5. Final purpose: to remotely log on to a server through ssh, you must have the correct account, password, and mobile phone number that can obtain the dynamic verification code (Android and ios mobile phone systems are currently supported ).

Specific operations:

Operating system: CentOS

1. Disable SELINUX

Vi/etc/selinux/config

# SELINUX = enforcing # Comment out
# SELINUXTYPE = targeted # Comment out
SELINUX = disabled # Add
: Wq! # Save and exit
Setenforce 0 # Make the configuration take effect immediately

II. Install and edit the toolkit

1. Use CentOS default yum source for installation

Yum install wget gcc make
Yum install pam-devel libpng-devel
2. Configure the repoforge third-party yum source to install the mercurial package
Select the correct version for each CentOS version.
CentOS 5.x
Rpm-ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.i386.rpm
Rpm-ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.x86_64.rpm
CentOS 6.x
Rpm-ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm
Rpm-ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
Yum install mercurial # installation
3. Install the google authenticator PAM plug-in 
 
Cd/usr/local/src
Wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Note: You can download libpam-google-authenticator-1.0-source.tar.bz2 and upload it to the/usr/local/src directory for installation.
Tar jxvf libpam-google-authenticator-1.0-source.tar.bz2 # extract
Cd libpam-google-authenticator-1.0 # go to the Directory
Make # compile

Make install # install

4. Install QrenCode. This tool can generate a QR code under the Linux command line.

Cd/usr/local/src
Wget http://fukuchi.org/works/qrencode/qrencode-3.4.4.tar.gz # Download
Tar zxf qrencode-3.4.4.tar.gz # extract
Cd qrencode-3.4.4 # go to the Directory
./Configure -- prefix =/usr # configuration
Make # compile

Make install # install

5. Configure the ssh service to call the google authenticator PAM plug-in

Vi/etc/pam. d/sshd # edit, add the following code in the first line
Auth required pam_google_authenticator.so
: Wq! # Save and exit
Vi/etc/ssh/sshd_config # Edit
ChallengeResponseAuthentication yes # modify no to yes
: Wq! # Save and exit

Service sshd restart # restart the ssh service for the configuration to take effect

6. Use the google authenticator PAM plug-in to generate a dynamic verification code for the ssh logon account

Note: If an account requires a dynamic verification code, switch to this account.
Google-authenticator # run this command
Do you want authentication tokens to be time-based (y/n) y # prompt whether to generate token based on time, select y
Https://www.google.com/chart? Chs = 200x200 & chld = M | 0 & cht = qr & chlorophyll = otpauth: // totp/osyunwei @ osyunwei % 3 Fsecret % 3DAXNRWARYQPHI5EAJ
Your new secret key is: AXNRWARYQPHI5WYU
Your verification code is 199255
Your emergency scratch codes are:
21767982
60638828
24009000
44681673
28015662
# The URL above is the graphic address of the generated QR code (which can be opened only when the wall is turned on), a key and five emergency verification codes are generated (when dynamic verification codes cannot be obtained, note: one of the five verification codes will be missing! Save it !)
Do you want me to update your "/home/jss/. google_authenticator" file (y/n) y # prompt whether to update the verification file, select y
Do you want to disallow multiple uses of the same authentication
Token? This restricts you to one login about every 30 s, but it increases
Your chances to notice or even prevent man-in-the-middle attacks (y/n) y # the same password is prohibited
By default, tokens are good for 30 seconds and in order to compensate
Possible time-skew between the client and the server, we allow an extra
Token before and after the current time. If you experience problems with poor
Time synchronization, you can increase the window from its default
Size of 1: 30 min to about 4 min. Do you want to do so (y/n) n
# The default dynamic verification code is valid within 30 seconds. Because there may be a time difference between the client and the server, the time can be increased to a maximum of 4 minutes. Do you want to do this? n, continue 30 seconds by default
If the computer that you are logging into isn' t hardened against brute-force
Login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30 s.
Do you want to enable rate-limiting (y/n) y

# Whether to limit the number of attempts. You can only try up to three times every 30 seconds. Here, select y to limit

7. Install the Google Authenticator on your mobile phone. Use this tool to scan the QR code generated in the previous step and obtain the dynamic verification code.

Android mobile phone download:
Https://play.google.com/store/apps/details? Id = com. google. android. apps. authenticator2
IOS mobile phone download:
Https://itunes.apple.com/us/app/google-authenticator/id388497605
Note: To open google, you need to flip the wall or try to download and install the Google Authenticator.
In addition, a barcode scanner needs to be installed to scan and verify the QR code to obtain a dynamic verification code.
Take the Android mobile phone as an example:

Install the Google Authenticator and open it, as shown in the following figure:

Start setting-scan the barcode and scan the QR code generated in step 6.

After scanning is completed, as shown in the following figure:

8. ssh remote server login

After the account is entered, a message is displayed, indicating that the verification code is entered.

Login as: root
Using keyboard-interactive authentication.
Verification code:
Open the Google Authenticator on your mobile phone, enter the dynamic verification code, and press enter.
Note: The Dynamic verification code is not displayed, so you cannot see the entered content on the screen, but you only need to ensure that the entered content is correct!
Using keyboard-interactive authentication.
Password:
Enter the password to log on to the system!
Note: This step must be completed within 30 seconds. Otherwise, the dynamic verification code expires and must be operated again.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.