650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4D/B7/wKiom1RYNtrTA2YTAABw4B2b5oM449.jpg "Title =" 111.jpg" alt = "wkiom1ryntrta2ytaabw4b2b5om449.jpg"/>
The basic principles are as follows:
The client can enter the server password and verify the account before entering the code.
The implementation method is as follows:
1. install required components
# Yum-y install mercurial Pam-devel
2. Install qrencode. on Linux, there is a command line tool named qrencode that can easily help us generate a QR code. The Google authenticator command line generates a QR code and calls it.
# Wgethttp: // fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz
# Tar zxfqrencode-3.3.1.tar.gz
# Cdqrencode-3.3.1
#./Configure -- prefix =/usr & make install
3. Install googleauthenticator
# Wget -- no-check-certificate https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# Tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
# Cd libpam-google-authenticator-1.0
# Make & make install
4. Call the Google-authenticator module during SSH logon.
Vim/etc/PAM. d/sshd
Add the following in the first line:
Auth required pam_google_authenticator.so
Vim/etc/ssh/sshd_config
Challengeresponseauthenticationyes # enable this row
Usepam yes # Add this row
Service sshd restart
5. Generate Google-authenticator Configuration
Google-authenticator
Do youwant authentication tokens to be time-based (y/n) y
Https://www.google.com/chart? CHS = 200x200 & chld = M | 0 & CHT = QR & chlorophyll = otpauth: // totp/[email protected] % 3 fsecret % 3dabexg5k6cvb56bxy
# This URL is the generated QR code, which is scanned by the client.
Your newsecret key is: node3.mengtao.com
Yourverification code is 582849
Youremergency scratch codes are:
30776626
14200155
80795568
23936997
21919909
# The above lines of numbers are emergency codes
Do youwant me to update your "/root/. google_authenticator" file (y/n) y
# Update the configuration file
Do youwant to disallow multiple uses of the same authentication
Token? This restricts you to one login about every 30 s, but it increases
Yourchances to notice or even prevent man-in-the-middle attacks (y/n) y
# Prohibit multiple use of one password
Bydefault, tokens are good for 30 seconds and in order to compensate
Possibletime-skew between the client and the server, we allow an extra
Tokenbefore and after the current time. If you experience problems with poor
Timesynchronization, you can increase the window from its default
Size of1: 30 min to about 4 min. Do you want to do so (y/n) N
# Client-server time error
If thecomputer that you are logging into isn' t hardened against brute-force
Loginattempts, you can enable rate-limiting for the authentication module.
Bydefault, this limits attackers to no more than 3 Login Attempts every 30 s.
Do youwant to enable rate-limiting (y/n) y
# Frequency limit
You can enter the serial number and scan the QR code on the device.
6. logon Verification
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4D/B7/wKiom1RYNu2grGaGAADCWoMbgKU395.jpg "Title =" 222.png" alt = "wkiom1rynu2grgagaadcwombgku395.jpg"/>
This article is from the sword slave blog, please be sure to keep this source http://diudiu.blog.51cto.com/6371183/1571550
Use Google authenticator for Secondary authentication over SSH