为Linux服务器的SSH登录启用Google两步验证

对于Linux服务器而言使用密钥登录要比使用密码登录安全的多，毕竟当前网上存在多个脚本到处进行爆破。

这类脚本都是通过扫描IP端的开放端口并使用常见的密码进行登录尝试，因此修改端口号也是非常有必要的。

如果你仍然想继续提高服务器的安全性的话那么还可以考虑使用Google的两步验证，每次登录需输入口令。

Google Authenticator是开源的两步验证工具，任何人都可以在自己的服务上部署两步验证来提高安全性。

注：Google Authenticator支持iOS和Android平台，其他平台似乎没有Google Authenticator。

以下是为CentOS服务器登录时启用两步验证的步骤：

1、Google Authenticator依赖时间与客户端进行校验，因此首先得把服务器时间更新至最新：

root@landian:# service ntpd stop     ===>停止NTP服务
Shutting down ntpd:                  ===>已停止NTP服务
root@landian:# ntpdate pool.ntp.org  ===>进行对时
20 Jan 15:09:24 ntpdate[17021]: adjust time server * offset -0.006584 sec ===> 对时成功，相差0.006584秒

2、执行以下命令安装几个rpm文件并更新repolist：

root@landian:# cd /tmp                                                          ===> 进入TMP文件夹
root@landian:# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm ===>下载
root@landian:# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm               ===>下载
root@landian:# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm                               ===>安装
Preparing... ########################################### [100%]
1:epel-release ########################################### [ 50%]
2:remi-release ########################################### [100%]                   ===>完成安装
root@landian:# yum repolist                                                         ===>更新repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/metalink | 5.3 kB 00:00
* base: mirrors.cn99.com
* epel: ftp.riken.jp
* extras: centos.ustc.edu.cn
* remi-safe: mirrors.mediatemple.net
* updates: mirrors.cn99.com
epel | 4.3 kB 00:00
epel/primary_db | 5.9 MB 00:01
repo id repo name status
base CentOS-6 - Base 6,696
epel Extra Packages for Enterprise Linux 6 - x86_64 12,215
extras CentOS-6 - Extras 62
remi-safe Safe Remi's RPM repository for Enterprise Linux 6 - x86_64 1,987
updates CentOS-6 - Updates 780
repolist: 21,740                                                                      ===>更新完成

3、为系统安装Google Authenticator，如果不进行第二步的操作在第三步中可能会提示你No Package

root@landian:# yum install google-authenticator                         ===>安装Google Authenticator
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.cn99.com
* epel: ftp.riken.jp
* extras: centos.ustc.edu.cn
* remi-safe: mirror.bebout.net
* updates: mirrors.cn99.com
Resolving Dependencies
--> Running transaction check
---> Package google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved                                                        ===>下载完成准备安装

===================================================================================================
Package Arch Version Repository Size
===================================================================================================
Installing:
google-authenticator x86_64 0-0.3.20110830.hgd525a9bab875.el6 epel 26 k

Transaction Summary
===================================================================================================
Install 1 Package(s)

Total download size: 26 k
Installed size: 51 k
Is this ok [y/N]: y                                                         ===>输入Y进行确认
Downloading Packages:
google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm | 26 kB 00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <epel@fedoraproject.org>
Package: epel-release-6-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y                                                    ===>输入Y进行确认
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64 1/1
Verifying : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64 1/1

Installed:
google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6

Complete!                                                                       ===>安装完成

4、为当前用户开启两步验证：

root@landian:# google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@landian%3Fsecret%3D4RRUJWKG2ZIU7SC2
===>上面的地址是个图片，复制地址到浏览器打开，然后使用GA手机端扫描添加
Your new secret key is: 4RRUJWKG2ZIU7SC2 ===>这是序列号，你不扫描二维码的话也可以手动输入序列号进行添加
Your verification code is 615947 ===>这是验证码
Your emergency scratch codes are: ===>下面几个是紧急验证码，如果你要登录但手机不再身边那么可以用以下验证码
87522227
35333335
84222252
27222238
62272223

Do you want me to update your "~/.google_authenticator" file (y/n) y ===>更新文件输入Y确认

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y  ===>下面都输入Y确认

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

5、修改SSH配置文件以便于启用两步验证：直接编辑或下载对应文件到本地再编辑也可

进入/etc/pam.d/目录下载sshd文件并添加以下内容保存后上传覆盖到服务器：
auth      required      pam_google_authenticator.so
进入/etc/ssh/目录下载sshd_config文件并找到以下内容将no改成yes，然后保存上传覆盖到服务器:
#ChallengeResponseAuthentication no
ChallengeResponseAuthentication yes

6、修改完毕这俩文件并上传到服务器后重启SSH服务以便于生效：

root@landian:# service sshd restart

7、断开再次登录大概就是下面这种样子了

root@landian:# ssh root@192.168.1.1
Password: ===>这里输入密码
Verification code: ===>这里输入GA手机端生成的验证码
root@landian:#