使用Google Authenticator配置SSH两部验证
安装Google Authenticator
$ apt-get update
$ apt-get install libpam-google-authenticator
$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y # 确认:基于时间的认证token 这里会显示生成二维码的地址、二维码、密钥明文、应急码
Do you want me to update your "~/.google_authenticator" file (y/n) y # 确认:更新配置文件
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y配置openssh
vim /etc/pam.d/sshd
Add the following line to the bottom of the file.
/etc/pam.d/sshd . . . # Standard Un*x password updating. include common-password
auth required pam_google_authenticator.so
保存并关闭
vim /etc/ssh/sshd_config
Look for ChallengeResponseAuthentication and set its value to yes.
/etc/ssh/sshd_config . . . # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads)
ChallengeResponseAuthentication yes. . .
保存并关闭
/etc/init.d/ssh restart
尝试登录
ssh localhost -p port
password: 【输入密码】
verification code: 【输入验证码】
本文参考
How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04