centos6.5使用Google auth进行双因子认证

阿里云相关链接

https://www.aliyun.com/product/ecs?source=5176.11533457&userCode=kv73ipbs&type=copy

1、环境

系统：centos6.5 x86_64

[root@uu ~]# uname -a

Linux uu 2.6.32-642.el6.x86_64 #1 SMP Wed Apr 13 00:51:26 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

要求：

时间同步

关闭SELinux

2、安装

升级git

1.7.1版本过低，现在github不支持1.7.1的git 客户端的下载了，只有从网上下载高一点的版本，并安装。

yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel -y
yum install gcc perl-ExtUtils-MakeMaker -y
yum remove git -y
yum update -y nss curl libcurl

cd /usr/src
wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz
wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz --no-check-certificate
tar xzf git-2.1..tar.gz
cd git-2.1.
make prefix=/usr/local/git all
make prefix=/usr/local/git install
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc
source /etc/bashrc

#配置git不认证https
git config --global http.sslVerify false

3、安装Google auth

yum install -y git automake libtool pam-devel -y
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make && make install

cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/

4、安装认证二维码

这一步可不做，没有图形二维码就手动输入程序给出的密钥。

yum install -y git qrencode

5、配置ssh服务

5.1、修改/etc/pam.d/sshd

在/etc/pam.d/sshd里添加下面这条【#放在auth       include      password-auth之前】

vim /etc/pam.d/sshd
auth       required     pam_google_authenticator.so no_increment_hotp

5.2、修改/etc/ssh/sshd_config

vim /etc/ssh/sshd_config
    PasswordAuthentication  yes
    ChallengeResponseAuthentication yes
    UsePAM yes
/etc/init.d/sshd restart

6、配置Google auth

google-authenticator

6.1、添加主机

有2种方式：

输入“y”后，会有一个二维码

1、用手机谷歌验证器扫描这个二维码即可添加主机。

2、手动输入二维码下面的密钥添加。

然后剩下的会出现5个问题，根据提示全部选“y”即可。

6.2、客户端

我的是华为手机，贴一下华为应用市场的链接

http://a.vmall.com/uowap/index.html#/detailApp/C63790

APP在应用市场搜索谷歌认证器。

可根据需要添加多个客户端。

7、登录

输入手机动态口令

输入登录用户的密码

8、说明

[root@uu ~]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@uu%3Fsecret%3DJQPBXCQ5UJEARJDKW56QG7PX5M%26issuer%3Duu

Your new secret key is: JQPBXCQ5UJEARJDKW56QG7PX5M

Enter code from app (-1 to skip): 441989

Code confirmed

Your emergency scratch codes are:

15017326

13268423

41466235

66165819

90381302

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.

In order to compensate for possible time-skew between the client and the server,

we allow an extra token before and after the current time. This allows for a

time skew of up to 30 seconds between authentication server and client. If you

experience problems with poor time synchronization, you can increase the window

from its default size of 3 permitted codes (one previous code, the current

code, the next code) to 17 permitted codes (the 8 previous codes, the current

code, and the 8 next codes). This will permit for a time skew of up to 4 minutes

between client and server.

Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting? (y/n) y

上述共需回答5个y

　　第1个：问你是否想做一个基于时间的令牌

　　第2个：是否更新你的google认证文件，由于第一次设置，所以一定选y　

　　第3个：是否禁止口令多用，这里选择y，禁止它，以防止中间人欺骗。

　　第4个：默认情况，1个口令的有效期是30s，这里是为了防止主机时间和口令客户端时间不一致，设置的误差，可以选择y，也可选n，看要求严谨程度

　　第5个：是否打开尝试次数限制，默认情况，30s内不得超过3次登陆测试，防止别人暴力破解。

并且上面这些设置将被存储在用户的〜/.google_authenticator文件中，emergency scratch codes 中的5个代码是紧急代码，务必牢记，这是在你的动态口令无法使用的情况下使用的，记住，用一个失效一个。后期可以登陆上去后，重新生成！！