LDAP + Kerberos + Google authentication for two-step verification

First step: LDAP + Kerberos integration, reference to previous articles

Step Two: Google Authentication installation configuration, refer to the previous article

Step three: Integrate LDAP + Kerberos + Google authentication

1. Since sshd defaults to using the secret key or Kerberos authentication, it passes the authentication and no longer performs the dynamic password verification of Google authentication, so we need the authenticationmethods option of the new version of sshd

Support, this option parameter specifies all the validation procedures that sshd must complete, and can include: Keyboard-interactive,gssapi-with-mic,publickey,password, separated by commas.

2. The previous version does not support the Authenticationmethods option, so the first step is to upgrade OpenSSH.

2.1 In order to avoid unexpected during the upgrade process, which causes SSH to fail to log in, first install Telnet-server to ensure Telnet can log on to the server.

2.2 Upgrade OpenSSH

2.2.1 Download the latest OpenSSH source code compilation installation, compile parameters as follows:

./configure--prefix=/usr--sysconfdir=/etc/ssh--with-pam--with-zlib--with-kerberos5--with-md5-passwords & & Make && make install
2.2.2 Copy sshd startup script and add boot boot

CP contrib/redhat/sshd.init/etc/init.d/sshd && chkconfig--add sshd

2.2.3 start sshd and test login, test login complete, turn off Telnet

3. Configure sshd: Edit/etc/ssh/sshd_config

Passwordauthentication No

Authenticationmethods keyboard-interactive,gssapi-with-mic

4. Configure Pam to turn off password verification: Edit/etc/pam.d/sshd

Comment out auth include Password-auth

5. Restart the sshd and obtain the Kerberos credentials to test the login:

5.1 Whether to require a google-authenticator dynamic password.

5.2 If you do not need a password after entering the dynamic password, use Kerberos login directly.

LDAP + Kerberos + Google authentication for two-step verification