转自:http://blog.5skill.com/post/27
环境
CentOS release 6.2 x86_64
1.安装依赖包
yum -y install gcc make pam-devel libpng-devel
Qrencode官网:http://fukuchi.org/works/qrencode/manual/index.html
Google-authenticator官网:http://code.google.com/p/google-authenticator/ 2.安装Qrencode二维码生成工具
google authenticator就是通过调用Qrencode生成二维码的
wget http://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz
tar zxf qrencode-3.3.1.tar.gz
cd qrencode-3.3.1
./configure --prefix=/usr
make && make install 3.安装google authenticator
wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
make
make install
4.配置google authenticator
终端下执行google-authenticator命令,一路yes英文自己看,只对当前用户生效
root@derek3:/# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@derek2%3Fsecret%3DIZIF2QDS6O4X5CCF 
Your new secret key is: IZIF2QDS6O4X5CCF
Your verification code is 900004
Your emergency scratch codes are:紧急口令,当你手机暂时不能用可以使用紧急口令,每个口令只能使用一次
56967667
94239338
29306791
19462054
39322681
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
5.安装手机客户端添加帐号
google play搜索authenticator在线安装手机客户端
BarcodeScanner条码扫描器下载https://code.google.com/p/zxing/downloads/list
添加账户:
扫描条形码安装
手动添加账户安装
账户名自定义,可以定义你服务器主机名,多个账户便于识别,输入google-authenticator生成的密钥
,选择基于时间添加
Your new secret key is: LQOCS5HBDELWJANO
6.配置SSH调用Authenticator验证登录
打开/etc/pam.d/sshd文件,在首行加入以下代码:
auth required pam_google_authenticator.so 打开/etc/ssh/sshd_config文件,开启身份认证
ChallengeResponseAuthentication noChallengeResponseAuthentication yes/etc/init.d/sshd restartSSH登录如下图:
扫一扫
1509
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
