Linux SSH dual factor login with Google Authenticator

Before listening to others said, with the XX home cloud, install a mobile app, each login needs to verify the dynamic password, and then enter the password, security greatly improved, the realization of the legendary two-factor landing, at that time feel good foreign flavor.

Because before the angle of attention is different, I more is from the landing statistics and alarm to observe, after all, let you directly landed fortress machine or board machine not much, is I too out, heard that the double factor landing but has not gone to action, so the whim of the details Baidu Google some articles, More are added by adding a third-party module two times to verify, so a few more famous on the: Google certification GOOGLE-AUTHENTICATOR,FREEOTP, onion tokens, compared to the name, found that Google's first name and let me have a sense of security, and understand the onion token, Made, so-called can be saved in the cloud, do not worry about the sequela of mobile phone, the following talk about my installation, the relevant documents are actually quite many, the steps are quite simple, merely bar

The first is the environment preparation, I am the perennial self-owned virtual machine: 2 units centos6.7 minimized installation

1. Installation mode, CENTOS6 environment

1) Epel originated with Google-authenticator, can be installed directly yum, it is so simple rough

RPM-IVH Https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpmyum Install Google-authenticator

2) on GitHub directly pull the latest source installation, CENTOS7 will prompt the missing M4 directory, first install the environment dependent

Yum install git wget make gcc pam-devel yum install automake autoconf libtool libpng-devel qrencode-y

git clone https://code.google.com/p/google-authenticator/cd google-authenticator/libpam/./bootstrap.sh./ Configuremakemake Install

2. Generate the key and a one-time key, if it is installed in accordance with Qrencode, will be executed in the program to generate a large two-dimensional code map, mobile phone sweep can, or manually enter a verification code, there is another way to directly open the generated URL address, inside is a same two-dimensional code map, You just need to flip the wall to see it.

1) Google-authenticator will generate a. google_authenticator file in your home directory

At the same time will inquire about some mechanisms and methods, if you do not understand the words are good all the way

Do your want authentication tokens to be time-based

#是否基于时间生成密码, this authentication method is divided into hopt and topt, one is based on counter to calculate, one is calculated by the time, most of the domestic is based on topt, however already has the cloud to provide this two times verification, said no use, not heartbeat ...

2) do you want me to update your "/root/.google_authenticator" file (y/n)

#是否将更新到 the/root/.google_authenticator file, this is displayed when you go to this step:

Https://www.google.com/chart?chs=200x200&chld=m|0&cht=qr&chl=otpauth://totp/[email protected]% 3fsecret%3dj2udl6o3dt7qvza3%26issuer%3dbase

Your New Secret key IS:J2UDL6O3DT7QVZA3

Your Verification Code is 312253

Your Emergency Scratch Codes is:

37117552

96751003

22043179

27575526

80187267

If the package is not missing, it will also show a large size of the two-dimensional code map, open the provided URL address is also possible, but you know

It seems that verification code is 312253 This is the manual input phone app Verification code, the equivalent of the bank U Shield and your phone bindings, this and secret key are not measured, directly through the QR code scanning can be, if manually you also need to enter user and host information, The following number is an emergency verification code, each can only be used once, such as the phone without

3) Do you want to disallow multiple uses of the same authentication

Token? This restricts-to-one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle Attacks

#是否多个相同的令牌限制每30秒只能登陆一个, it'll be more secure.

4) By default, tokens is good for-seconds and in order-compensate for

Possible time-skew between the client and the server, we allow an extra

Token before and after the current time. If you experience problems with poor

Time synchronization, you can increase the window from its default

Size of 1:30min to about 4min. Do you want

#如果你的时间同步不靠谱, you can increase the window 1 minutes and half to 4 min ... Meaning should be increased fault tolerance, the effective time disguised increase, is no longer the default of 30 seconds, friendship hints, must first do time synchronization, some applications rely on topt, when the time error will have a loophole

5) If The computer that is logging into isn ' t hardened against Brute-force

Login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

#30秒内只能登陆3次

3. Now that the server has completed the Google authentication configuration, the phone comes up to the app docking bar, my is still strong 5s, Apple users landing AppStore Google Authenticator, the interface is simple and rough, click on the Authenticator, Then select QR Code Scan to

Android client does not test, the Google Store is sure to have, the rest of the App store can find their own, the same simple rough, the scan will be added after the completion of every 30 seconds to refresh the 6-digit password, is not and a variety of U-shield, xx Bao's dynamic password a hair, if there is empty, will try the onion token, Not because it's powerful, but because it supports a variety of poses like brush face ...

4. The handset and the server docking, finally is the server to apply the Google authentication module

1)

Vim/etc/pam.d/sshd

Add auth required pam_google_authenticator.so on the first line

Test find must be in front of Password-auth, that is, must first verify the dynamic password, and then verify the user password, the order can not be reversed, call Google's library file to enable authentication

2)

Vim/etc/ssh/sshd_config

Challengeresponseauthentication Yes

#把NO禁用, instead of Yes, turn on the question--answer authentication, or just open the PAM module Google authentication, when landing still only ask the user password, but will return permission denied, please try again. Must have two files simultaneously modified, Log on only when Pam authentication is turned off

5. Last, then wave up

Service sshd Reload

Last attached github address: Https://github.com/google/google-authenticator

New test environment Be sure to turn off SELinux, don't ask me how I know, if the detailed algorithm is interested, can Google a bit

This article is from "Tiger's Operation and maintenance blog" blog, please make sure to keep this source http://oldtiger5.blog.51cto.com/9313186/1751696

Linux SSH dual factor login with Google Authenticator