【Linux】使用Google Authenticator 实现ssh登录双因素认证

一般来说，使用ssh远程登录服务器，只需要输入账号和密码，显然这种方式不是很安全。为了安全着想，可以使用GoogleAuthenticator(谷歌身份验证器)，以便在账号和密码之间再增加一个验证码，只有输入正确的验证码之后，再输入密码才能登录。这样就增强了ssh登录的安全性。账号、验证码、密码三者缺一个都不能登录，即使账号和密码正确，验证码错误，同样登录失败。其中，验证码是动态验证码，并且是通过手机客户端自动获取（默认每隔30秒失效一次）

Google Authenticator开源版主页 https://github.com/google/google-authenticator

一、Ubuntu安装

1、安装Google Authenticator

apt-get install libpam-google-authenticator

也可以通过源码编译安装

git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

注意：在Debian7中执行./configure时可能存在以下错误提示

configure: error: Unable to find the PAM library or the PAM header files

在此需要安装libpam0g-dev和libtool

apt-get -y install libpam0g-dev libtool

2、设置Google Authenticator

在手机端搜索安装 Google Authenticator

google-authenticator
Do you want authentication tokens to be time-based (y/n) y

然后出现二维码，使用手机端Google Authenticator扫码,接下来服务器端继续设置

如果没有出现二维码，可以将提示的以 https://www.google.com/chart? 开头的连接复制到浏览器中，就可以看到二维码了

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

修改配置文件

root@test:~# vim /etc/pam.d/sshd        #在第一行（即account    required     pam_nologin.so的下一行）增加以下代码
auth required pam_google_authenticator.so

root@test:~#  vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes          #修改no为yes

root@test:~#  service ssh restart

3、手机安装Google身份验证器

见Centos安装步骤

4、登录

再次登录的话输入用户名后就跟着提示两部验证码，然后才输入用户密码，如下：

root@test1:~$ ssh root@120.17.144.148 -p65322
The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established.
RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts.
Verification code:
Password:
Last login: Tue Jan  8 16:55:15 2019 from 121.157.126.116

Welcome to aliyun Elastic Compute Service!

[root@test2 ~]#  

二、Centos安装

1、关闭SELINUX

[root@test ~]# vim /etc/selinux/config      #永久关闭。需要reboot重启后生效
SELINUX=enforcing 改为 SELINUX=disabled

[root@test ~]# setenforce 0   #临时性关闭。不需要reboot重启

2、安装编辑工具包

[root@test ~]# yum install wget gcc make  pam-devel libpng-devel
[root@test ~]# yum -y install google-authenticator  qrencode mercurial

3、配置ssh服务调用google authenticator PAM插件

[root@test ~]# vim /etc/pam.d/sshd       #在第一行（即auth       required pam_sepermit.so的下一行）增加以下代码
auth required pam_google_authenticator.so

[root@test ~]# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes          #修改no为yes

[root@test ~]# service sshd restart

4、使用google authenticator PAM插件为ssh登录账号生成动态验证码

注意：哪个账号需要动态验证码，请切换到该账号下操作。（可以在不同用户下执行这个命令以生成各自的二次验证码）

[root@test ~]# google-authenticator

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@iZ23e3f2jdcZ%3Fsecret%3DD76NMSG26PAUJGAR

Your new secret key is: D76NMSG26PAUJGAR
Your verification code is 829676
Your emergency scratch codes are:
51322579
63010483
39007873
32360318
54935046

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

5、手机安装Google身份验证器

通过此工具扫描上一步生成的二维码图形，获取动态验证码。
在App Store里直接可以下载Authenticator

然后扫描上面在服务器上生成的二维码，每个用户都会有一个单独的二维码

接着在ssh的客户端里设置，如下，设置"Keyboard Interactive"方式登录

然后再次连接的时候，就会提示先输入二次身份验证码，再输入用户密码。

在Linux客户机上远程登录，效果一样：

root@test1:~$ ssh root@120.17.144.148 -p65322
The authenticity of host '[120.17.144.148]:65322 ([120.17.144.148]:65322)' can't be established.
RSA key fingerprint is 6f:d1:19:41:af:25:8d:ee:b9:54:11:c0:cc:c0:6e:cd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[120.17.144.148]:65322' (RSA) to the list of known hosts.
Verification code:
Password:
Last login: Tue Jan  8 16:55:15 2019 from 121.157.126.116

Welcome to aliyun Elastic Compute Service!

[root@test2 ~]#