SSH启用MFA二次认证

2020-03-03

字数统计: 533字 | 阅读时长≈ 2分

为SSH启用MFA二次登录认证

1. 安装Google身份验证器

1	yum install -y autoconf automake libtool pam-devel git qrencode

git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam/
./bootstrap.sh
./configure
make
make install

软链模块文件

1	ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

2. 配置SSH

vim /etc/pam.d/sshd

1 2	auth required pam_google_authenticator.so nullok #加在最上面一行 #auth substack password-auth

vim /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no


#还要SSH 知道其应请求可让我们登录的 SSH 密钥和验证码
AuthenticationMethods publickey,password publickey,keyboard-interactive

systemctl restart sshd

3. 配置Google身份验证器

1	google-authenticator

#询问使用的身份验证令牌是否应基于时间
Do you want authentication tokens to be time-based (y/n) y
#此时将生成安全密钥与临时验证码，只能使用1次，需妥善保存

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

4. 连接测试

注意：不要关闭刚才的连接session，新打开一个窗口连接测试。

一旦连接失败，建议操作是恢复SSH配置，重载服务

附加：有个坑

如果你是以普通用户zhangsan登录系统，通过sudo切换到了root进行操作的，需要将生成的/root/.google_authenticator文件拷贝到普通用户的家目录，并且需要修改属主属组为zhangsan, 否则不能正常连接。

本文作者： GaryWu
本文链接： https://garywu520.github.io/2020/03/03/SSH启用MFA二次认证/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！

jsonContent: meta: false pages: false posts: title: true date: true path: true text: false raw: false content: false slug: false updated: false comments: false link: false permalink: false excerpt: false categories: false tags: true