Use Google Authenticator in CentOS to enhance SSH login security

Source: Internet
Author: User

Environment:
CentOS 6.3 x86_64

Basic component installation:

yum -y install wget gcc make pam-devel libpng-devel

1. Install qrencode
On Linux, a command line tool named QrenCode can easily generate a QR code. The google authenticator command line generates a QR code and calls it.

wget http: //fukuchi .org /works/qrencode/qrencode-3 .3.1. tar .gz tar zxf qrencode-3.3.1. tar .gz cd qrencode-3.3.1 . /configure --prefix= /usr && make && make install

2. Install the google authenticator PAM plug-in

wget http: //google-authenticator .googlecode.com /files/libpam-google-authenticator-1 .0- source . tar .bz2 tar jxf libpam-google-authenticator-1.0- source . tar .bz2 cd libpam-google-authenticator-1.0 make && make install

3. Configure google authenticator

Google Authenticator is actually an open-source solution, so it can be used not only on Google's website, but also elsewhere. However, on Google's website, a QR code will be directly sent to you for scanning, and Google Authenticator configured by yourself will be generated by yourself.
First, you need to switch to the corresponding user. If there is only one user on the VPS, you can skip this step, but the VPS of multiple users needs to switch to the corresponding user first, run the google-authenticator command again. The program will ask you Do you want authentication tokens to be time-based (y/n) to generate a verification code (and TOTP) based on time ), select y here. The result is similar to the following:

This QR code is naturally scanned by the Google Authenticator application. You can also visit the link above and use the QR code generated by the Google Chart API for scanning. You can also manually enter the text key following the QR code. After Google Authenticator recognizes this account, the validator is configured. Several emergency codes are provided under the text key, which can be properly kept if the mobile phone is lost.
At this time, although Google Authenticator is running, but the relevant settings have not been saved, the program will ask you Do you want me to update your "/root /. google_authenticator "file (y/n) (whether to write the configuration to the configuration file in the home directory), of course, Answer y. I will ask again

Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n)

The general idea is whether to prohibit multiple use of a single password. Naturally, it is also a question of y. The next question is

By default, tokens are good for 30 seconds and in order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems with poortime synchronization, you can increase the window from its defaultsize of 1:30min to about 4min. Do you want to do so (y/n)

The question is whether to enable time tolerance to prevent authentication failure due to time difference between the client and the server. This can be based on the actual situation. My ipad has a very accurate time (synchronized with the network), so answer n. If some tablet computers are not connected to the network, Answer y to prevent authentication failure due to time errors. Another problem is that

If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (y/n)

Select whether to enable the limit on the number of attempts (to prevent brute force attacks). A natural answer is y.
After answering the question, the home directory contains one more. the google_authenticator file (the default permission is 400). Now the client and the server are ready for use. You do not need to run the google-authenticator command in the future. Otherwise, a new set of passwords will be generated.

4. Configure SSH Authentication
Although Google Authenticator has been configured, no program will call it. Therefore, you need to set up SSH to log on through it for verification.
Open the/etc/pam. d/sshd file and add
Auth required pam_google_authenticator.so

Save this line. Open the/etc/ssh/sshd_config file and find
ChallengeResponseAuthentication no

Change it
ChallengeResponseAuthentication yes

And save. Finally, enter
Service ssh restart

To restart the SSH service to apply new configurations.
At this time, SSH Login will be like this:

In this way, the operation is successful.

This article from the "industry world" blog, please be sure to keep this source http://luojianlong.blog.51cto.com/4412415/1381725

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.