5.Google双向验证

[toc]

Google双向验证

google authenticator

# google authenticator
通常我们使用账号密码登录虚拟机，很容易出现黑客攻击暴力破解，可结合google authenticator的双向验证密码来确保账户安全。
先输入google双向认证验证码，再输入主机密码

部署google二次验证

# 安装依赖
yum -y install pam-devel libpng-devel autoconf automake libtool

# 在'opt'目录下载google apm插件
cd /opt
## 外网下载地址
wget https://github.com/google/google-authenticator- libpam/archive/1.04.tar.gz
## 个人网站下载地址
wget http://test.driverzeng.com/other/1.04.tar.gz

# 解压插件
tar xf 1.04.tar.gz

# 执行bootstrap构建
./bootstrap.sh

libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'.
libtoolize: copying file `build/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
libtoolize: copying file `build/libtool.m4'
libtoolize: copying file `build/ltoptions.m4'
libtoolize: copying file `build/ltsugar.m4'
libtoolize: copying file `build/ltversion.m4'
libtoolize: copying file `build/lt~obsolete.m4'
configure.ac:11: installing 'build/config.guess'
configure.ac:11: installing 'build/config.sub'
configure.ac:8: installing 'build/install-sh'
configure.ac:8: installing 'build/missing'
Makefile.am: installing 'build/depcomp'
parallel-tests: installing 'build/test-driver'
You have new mail in /var/spool/mail/root

# 生成
./configure

# 编译 && 编译安装
make && make install

# 检查插件是否安装
ll /usr/local/lib/security/

## -rwxr-xr-x 1 root root 1021 Dec 6 09:45 pam_google_authenticator.la
## -rwxr-xr-x 1 root root 133552 Dec 6 09:45 pam_google_authenticator.so

# 将安装好的插件，拷贝至系统库中
cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/

# 生成google认证识别码
google-authenticator

# 认证令牌是够随着时间变化
Do you want authentication tokens to be time-based (y/n) y

Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.

Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting? (y/n) y
You have new mail in /var/spool/mail/root

使用移动端google authenticator进行配对

1. 下载并打开google authenticator

   

2. 扫描二维码进行配对

   

3. 主页可查看当前配对的设备并显示动态验证码

   

4. 点击右上角即可修改或删除此设备验证信息

   

5. 选择需要进行修改的设备

   

6. 修改此设备的备注信息

   

7. 也可以点击右上角的图标删除此台设备

   

将google 2FA 加入SSH

# 修改配置文件并添加配置信息
vim /etc/pam.d/sshd

## auth required pam_google_1 authenticator.so

# 修改ssh配置文件并重启服务，关联google认证
vim /etc/ssh/sshd_config
## 在:69行修改配置信息
ChallengeResponseAuthentication yes

# 重启sshd服务
systemctl restart sshd

通过二级验证登陆系统

通过ssh远程连接

# ssh root@10.0.0.61
Verification code: (google二级密码)
Password: （主机密码)

通过X shell连接

1. 修改登录选项为：Keyboard Interactive

   

2. 登陆时输入google动态验证码

   

3. 输入账户密码