Environment:
CentOS 6.3 x86_64
Basic component installation:
yum -y
install
wget gcc
make
pam-devel libpng-devel
1. Install qrencode
On Linux, a command line tool named QrenCode can easily generate a QR code. The google authenticator command line generates a QR code and calls it.
wget http:
//fukuchi
.org
/works/qrencode/qrencode-3
.3.1.
tar
.gz
tar
zxf qrencode-3.3.1.
tar
.gz
cd
qrencode-3.3.1
.
/configure
--prefix=
/usr
&&
make
&&
make
install
2. Install the google authenticator PAM plug-in
wget http:
//google-authenticator
.googlecode.com
/files/libpam-google-authenticator-1
.0-
source
.
tar
.bz2
tar
jxf libpam-google-authenticator-1.0-
source
.
tar
.bz2
cd
libpam-google-authenticator-1.0
make
&&
make
install
3. Configure google authenticator
Google Authenticator is actually an open-source solution, so it can be used not only on Google's website, but also elsewhere. However, on Google's website, a QR code will be directly sent to you for scanning, and Google Authenticator configured by yourself will be generated by yourself.
First, you need to switch to the corresponding user. If there is only one user on the VPS, you can skip this step, but the VPS of multiple users needs to switch to the corresponding user first, run the google-authenticator command again. The program will ask you Do you want authentication tokens to be time-based (y/n) to generate a verification code (and TOTP) based on time ), select y here. The result is similar to the following:
This QR code is naturally scanned by the Google Authenticator application. You can also visit the link above and use the QR code generated by the Google Chart API for scanning. You can also manually enter the text key following the QR code. After Google Authenticator recognizes this account, the validator is configured. Several emergency codes are provided under the text key, which can be properly kept if the mobile phone is lost.
At this time, although Google Authenticator is running, but the relevant settings have not been saved, the program will ask you Do you want me to update your "/root /. google_authenticator "file (y/n) (whether to write the configuration to the configuration file in the home directory), of course, Answer y. I will ask again
Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n)
The general idea is whether to prohibit multiple use of a single password. Naturally, it is also a question of y. The next question is
By default, tokens are good for 30 seconds and in order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems with poortime synchronization, you can increase the window from its defaultsize of 1:30min to about 4min. Do you want to do so (y/n)
The question is whether to enable time tolerance to prevent authentication failure due to time difference between the client and the server. This can be based on the actual situation. My ipad has a very accurate time (synchronized with the network), so answer n. If some tablet computers are not connected to the network, Answer y to prevent authentication failure due to time errors. Another problem is that
If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (y/n)
Select whether to enable the limit on the number of attempts (to prevent brute force attacks). A natural answer is y.
After answering the question, the home directory contains one more. the google_authenticator file (the default permission is 400). Now the client and the server are ready for use. You do not need to run the google-authenticator command in the future. Otherwise, a new set of passwords will be generated.
4. Configure SSH Authentication
Although Google Authenticator has been configured, no program will call it. Therefore, you need to set up SSH to log on through it for verification.
Open the/etc/pam. d/sshd file and add
Auth required pam_google_authenticator.so
Save this line. Open the/etc/ssh/sshd_config file and find
ChallengeResponseAuthentication no
Change it
ChallengeResponseAuthentication yes
And save. Finally, enter
Service ssh restart
To restart the SSH service to apply new configurations.
At this time, SSH Login will be like this:
In this way, the operation is successful.
This article from the "industry world" blog, please be sure to keep this source http://luojianlong.blog.51cto.com/4412415/1381725