LDAP + Kerberos + Google authentication for two-step verification

Source: Internet
Author: User

First step: LDAP + Kerberos integration, reference to previous articles

Step Two: Google Authentication installation configuration, refer to the previous article

Step three: Integrate LDAP + Kerberos + Google authentication

1. Since sshd defaults to using the secret key or Kerberos authentication, it passes the authentication and no longer performs the dynamic password verification of Google authentication, so we need the authenticationmethods option of the new version of sshd

Support, this option parameter specifies all the validation procedures that sshd must complete, and can include: Keyboard-interactive,gssapi-with-mic,publickey,password, separated by commas.

2. The previous version does not support the Authenticationmethods option, so the first step is to upgrade OpenSSH.

2.1 In order to avoid unexpected during the upgrade process, which causes SSH to fail to log in, first install Telnet-server to ensure Telnet can log on to the server.

2.2 Upgrade OpenSSH

2.2.1 Download the latest OpenSSH source code compilation installation, compile parameters as follows:

./configure--prefix=/usr--sysconfdir=/etc/ssh--with-pam--with-zlib--with-kerberos5--with-md5-passwords & & Make && make install
2.2.2 Copy sshd startup script and add boot boot

CP contrib/redhat/sshd.init/etc/init.d/sshd && chkconfig--add sshd

2.2.3 start sshd and test login, test login complete, turn off Telnet

3. Configure sshd: Edit/etc/ssh/sshd_config

Passwordauthentication No

Authenticationmethods keyboard-interactive,gssapi-with-mic

4. Configure Pam to turn off password verification: Edit/etc/pam.d/sshd

Comment out auth include Password-auth

5. Restart the sshd and obtain the Kerberos credentials to test the login:

5.1 Whether to require a google-authenticator dynamic password.

5.2 If you do not need a password after entering the dynamic password, use Kerberos login directly.

LDAP + Kerberos + Google authentication for two-step verification

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.