系统之城 - 最好的系统光盘下载网站!

当前位置:主页 > 系统教程 > Linux教程 > 详细页面

为Linux服务器的SSH登录启用Google两步验证

时间:2018-03-21 来源:系统之城 编辑:Lncity

对于Linux服务器而言使用密钥登录要比使用密码登录安全的多,毕竟当前网上存在多个脚本到处进行爆破。

这类脚本都是通过扫描IP端的开放端口并使用常见的密码进行登录尝试,因此修改端口号也是非常有必要的

如果你仍然想继续提高服务器的安全性的话那么还可以考虑使用Google的两步验证,每次登录需输入口令。

Google Authenticator是开源的两步验证工具,任何人都可以在自己的服务上部署两步验证来提高安全性。

注:Google Authenticator支持iOS和Android平台,其他平台似乎没有Google Authenticator。

以下是为CentOS服务器登录时启用两步验证的步骤:

1、Google Authenticator依赖时间与客户端进行校验,因此首先得把服务器时间更新至最新:

root@landian:# service ntpd stop     ===>停止NTP服务
Shutting down ntpd:                  ===>已停止NTP服务
root@landian:# ntpdate pool.ntp.org  ===>进行对时
20 Jan 15:09:24 ntpdate[17021]: adjust time server * offset -0.006584 sec ===> 对时成功,相差0.006584

2、执行以下命令安装几个rpm文件并更新repolist:

root@landian:# cd /tmp                                                          ===> 进入TMP文件夹
root@landian:# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm ===>下载
root@landian:# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm               ===>下载
root@landian:# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm                               ===>安装
Preparing... ########################################### [100%]
1:epel-release ########################################### [ 50%]
2:remi-release ########################################### [100%]                   ===>完成安装
root@landian:# yum repolist                                                         ===>更新repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/metalink | 5.3 kB 00:00 
* base: mirrors.cn99.com
* epel: ftp.riken.jp
* extras: centos.ustc.edu.cn
* remi-safe: mirrors.mediatemple.net
* updates: mirrors.cn99.com
epel | 4.3 kB 00:00 
epel/primary_db | 5.9 MB 00:01 
repo id repo name status
base CentOS-6 - Base 6,696
epel Extra Packages for Enterprise Linux 6 - x86_64 12,215
extras CentOS-6 - Extras 62
remi-safe Safe Remi's RPM repository for Enterprise Linux 6 - x86_64 1,987
updates CentOS-6 - Updates 780
repolist: 21,740                                                                      ===>更新完成

3、为系统安装Google Authenticator,如果不进行第二步的操作在第三步中可能会提示你No Package

root@landian:# yum install google-authenticator                         ===>安装Google Authenticator
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.cn99.com
* epel: ftp.riken.jp
* extras: centos.ustc.edu.cn
* remi-safe: mirror.bebout.net
* updates: mirrors.cn99.com
Resolving Dependencies
--> Running transaction check
---> Package google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved                                                        ===>下载完成准备安装

===================================================================================================
Package Arch Version Repository Size
===================================================================================================
Installing:
google-authenticator x86_64 0-0.3.20110830.hgd525a9bab875.el6 epel 26 k

Transaction Summary
===================================================================================================
Install 1 Package(s)

Total download size: 26 k
Installed size: 51 k
Is this ok [y/N]: y                                                         ===>输入Y进行确认
Downloading Packages:
google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm | 26 kB 00:00 
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <epel@fedoraproject.org>
Package: epel-release-6-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y                                                    ===>输入Y进行确认
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64 1/1 
Verifying : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64 1/1

Installed:
google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6

Complete!                                                                       ===>安装完成

4、为当前用户开启两步验证:

root@landian:# google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@landian%3Fsecret%3D4RRUJWKG2ZIU7SC2
===>上面的地址是个图片,复制地址到浏览器打开,然后使用GA手机端扫描添加
Your new secret key is: 4RRUJWKG2ZIU7SC2 ===>这是序列号,你不扫描二维码的话也可以手动输入序列号进行添加
Your verification code is 615947 ===>这是验证码
Your emergency scratch codes are: ===>下面几个是紧急验证码,如果你要登录但手机不再身边那么可以用以下验证码
87522227
35333335
84222252
27222238
62272223

Do you want me to update your "~/.google_authenticator" file (y/n) y ===>更新文件输入Y确认

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y  ===>下面都输入Y确认

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

5、修改SSH配置文件以便于启用两步验证:直接编辑或下载对应文件到本地再编辑也可

进入/etc/pam.d/目录下载sshd文件并添加以下内容保存后上传覆盖到服务器:
auth      required      pam_google_authenticator.so
进入/etc/ssh/目录下载sshd_config文件并找到以下内容将no改成yes,然后保存上传覆盖到服务器:
#ChallengeResponseAuthentication no
ChallengeResponseAuthentication yes

6、修改完毕这俩文件并上传到服务器后重启SSH服务以便于生效:

root@landian:# service sshd restart

7、断开再次登录大概就是下面这种样子了

root@landian:# ssh root@192.168.1.1
Password: ===>这里输入密码
Verification code: ===>这里输入GA手机端生成的验证码
root@landian:#
写在最后

学习是一种态度,分享是一种乐趣!

如果觉得我们的作品不错,请为我们点赞!

如果觉得本资讯有用或能帮助到更多的人学习,请分享到朋友圈!

你的支持,是我们不断进步的动力!

分享到:

相关信息

  • 联想ThinkPad E470自带win10系统如何

    联想 ThinkPad E470 这款笔记本具有超高人气与精致造型的商务办公笔记本再次推出搭载了独立显卡的强力版,在图形性能极为出众。但预装的是 win10 系统,网友还是不是很喜欢 win10 游戏的体验感,那么联想 ThinkPad E470 笔记本如何把 win10 改成 win7 系统呢

  • Linux使用Lsof命令解决端口占用问题的

    在Linux Server上通常比较容易出现端口占用问题导致部分程序无法启动的。 例如鸭子哥晚上在Cent OS上配置另一个域名的HTTPS时就出现操作错误导致Nginx无法启动的。 复原一下出现错误的操作步骤: 1、修复网站的配置文件conf添加监听443端口以及证书名称; 2

系统教程栏目

栏目热门教程

人气教程排行

站长推荐

热门系统下载

公众号