一般大家都是使用賬號和密碼遠程SSH登錄管理服務器。但SSH賬號和密碼很容易泄露，或者經常遭遇暴力破解。咨詢過前同事賽賽，他們目前使用了谷歌身份驗證器。查看了谷歌身份驗證器的github和其它網上文檔，重新整理歸納。

谷歌身份驗證器生成的是動態驗證碼，默認30秒更新。修改配置，SSH登錄必須在輸入密碼之前輸入動態驗證碼。即使賬號和密碼泄露，驗證碼輸入錯誤，仍然無法登錄。蘋果或者安卓手機端可以安裝身份驗證器App讀取驗證碼。

1.禁用并關閉selinux

sed?-i?'s/SELINUX=enforcing/SELINUX=disabled/'?/etc/selinux/configsetenforce?0

2.安裝依賴軟件包

yum?-y?install?gcc?make?pam-devel?libpng-devel?libtool?wget?git

3.添加阿里云epel源

• RHEL 6/CentOS 6系列

wget?-O?/etc/yum.repos.d/epel.repo?http://mirrors.aliyun.com/repo/epel-6.repo

• RHEL 7/CentOS 7系列

wget?-O?/etc/yum.repos.d/epel.repo?http://mirrors.aliyun.com/repo/epel-7.repo

4.安裝Qrencode，谷歌身份驗證器需要調用該程序以便終端生成并顯示二維碼

yum?-y?install?qrencode

5.安裝谷歌身份驗證器

mkdir?-p?/App/srccd?/App/srcgit?clone?https://github.com/google/google-authenticator.gitcd?google-authenticator/libpam/./bootstrap.sh./configuremakemake?installcp?/usr/local/lib/security/pam_google_authenticator.so?/lib64/security/

6./etc/pam.d/sshd第一行后添加谷歌身份驗證器PAM模塊配置

auth???????required?????pam_google_authenticator.so

7.修改SSH服務配置/etc/ssh/sshd_config

sed?-i?'s#^ChallengeResponseAuthentication?no#ChallengeResponseAuthentication?yes#'?/etc/ssh/sshd_config

8.重啟SSH服務

• RHEL 6/CentOS 6系列

service?sshd?restart

• RHEL 7/CentOS 7系列

systemctl?restart?sshd.service

9.終端切換至需要二次驗證的系統用戶后運行驗證器程序google-authenticator，遇到(y/n)可以都輸入y，為需要遠程SSH登錄的每個用戶生成動態口令

Do?you?want?authentication?tokens?to?be?time-based?(y/n)?y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/songsong@localhost.localdomain%3Fsecret%3DX3PYDDGPI4BF3DMIVTZ33IRQI4%26issuer%3Dlocalhost.localdomain 二維碼 Your?new?secret?key?is:?X3PYDDGPI4BF3DMIVTZ33IRQI4 Your?verification?code?is?318806 Your?emergency?scratch?codes?are:3418184733327793543071633690175621117069Do?you?want?me?to?update?your?"/home/songsong/.google_authenticator"?file?(y/n)?yDo?you?want?to?disallow?multiple?uses?of?the?same?authentication token??This?restricts?you?to?one?login?about?every?30s,?but?it?increases your?chances?to?notice?or?even?prevent?man-in-the-middle?attacks?(y/n)?Do?you?want?to?disallow?multiple?uses?of?the?same?authentication token??This?restricts?you?to?one?login?about?every?30s,?but?it?increases your?chances?to?notice?or?even?prevent?man-in-the-middle?attacks?(y/n)?yBy?default,?tokens?are?good?for?30?seconds.?In?order?to?compensate?for possible?time-skew?between?the?client?and?the?server,?we?allow?an?extra token?before?and?after?the?current?time.?If?you?experience?problems?with poor?time?synchronization,?you?can?increase?the?window?from?its?default size?of?+-1min?(window?size?of?3)?to?about?+-4min?(window?size?of 17?acceptable?tokens). Do?you?want?to?do?so??(y/n)?yIf?the?computer?that?you?are?logging?into?isn't?hardened?against?brute-force login?attempts,?you?can?enable?rate-limiting?for?the?authentication?module. By?default,?this?limits?attackers?to?no?more?than?3?login?attempts?every?30s. Do?you?want?to?enable?rate-limiting?(y/n)?y

10.蘋果手機打開App Store搜索Google Authenticator，安卓手機打開應用商店搜索身份驗證器，安裝對應App

• 蘋果手機

• 安卓

11.手機打開安裝的App后點擊開始設置，而后點擊掃描條形碼，掃描終端顯示的二維碼

12.修改SecureCRT的連接屬性，右鍵選擇已有主機連接的Properties，在新彈窗點選SSH2，將Authentication選項中的Keyboard Interactive順序調整至首行?

---

---

終端運行驗證器程序google-authenticator內容說明：

Do?you?want?authentication?tokens?to?be?time-based?(y/n)

輸入y基于時間方式生成驗證口令，輸入n使用計數器方式生成驗證口令。

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/songsong@localhost.localdomain%3Fsecret%3DX3PYDDGPI4BF3DMIVTZ33IRQI4%26issuer%3Dlocalhost.localdomain

顯示二維碼的網頁地址，需要設法能夠訪問到谷歌，方法你懂得。

二維碼

若未安裝Qrencode，則不會顯示二維碼。

Your?new?secret?key?is:?X3PYDDGPI4BF3DMIVTZ33IRQI4

若未顯示二維碼，谷歌二維碼頁面地址亦無法訪問，java教程則手機端身份驗證器App可以使用輸入提供的秘鑰，符號:之后的內容即為生成的秘鑰。

Your?verification?code?is?318806

臨時生成的6位數字驗證碼，默認30秒到期。

Your?emergency?scratch?codes?are:3418184733327793543071633690175621117069

生成的5組應急備用驗證碼，每個驗證碼只能使用一次，使用后立即失效。當多次使用手機App端顯示的驗證碼無效時使用，保存備用。

---

注意事項：

若使用默認基于時間方式生成動態口令，確保安裝谷歌身份驗證器的服務器和手機系統時間一致，否則無法登錄系統。所以服務器和手機系統定期同步公網公開的時間服務器，這樣可以確保兩者時間一致。

轉載于:https://www.cnblogs.com/plan123/p/5579513.html

總結

以上是生活随笔為你收集整理的使用谷歌身份验证器增强SSH安全的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。