谷歌身份验证器生成的是动态验证码,默认30秒更新。本示例文档使用密钥和 MFA 登录认证,关闭了密码认证
1. 安装 epel:
文档: https://docs.fedoraproject.org/en-US/epel/
2. 安装 Google Authenticator:
yum -y install google-authenticator
CentOS 或 Rocky Linux 8/9系统请使用 dnf
代替 yum
。
3. 修改配置: /etc/pam.d/sshd
,添加 PAM 模块:
auth required pam_google_authenticator.so nullok
nullok
字段代表尚未执行完 google-authenticator
程序添加 MFA 设置的用户,仍然可以继续登录。可以等到所有用户都添加 MFA 后再删除该字段,强制所有用户登录必须使用 MFA 验证。
4. 修改配置: /etc/pam.d/sshd
,行首添加 #
注释该行,关闭 SSH 登录认证输入密码提示:
auth substack password-auth
5.添加或修改 SSH 服务端配置: /etc/ssh/sshd_config
,登录认证使用密钥和 MFA,关闭密码认证:
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
6.重启SSH服务:
systemctl restart sshd
7. 终端切换至需要二次验证的系统账户后运行验证器程序 google-authenticator
,遇到 (y/n)
可以都输入 y
,为需要远程 SSH 登录的每个用户生成动态口令:
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/test@sre-test%3Fsecret%3DBETES4PY5MQH7GW2WBR4YXJEBE%26issuer%sre-test
【此处为二维码图片】
Your new secret key is: BETES4PY5MQH7GW2WBR4YXJEBE
Your verification code is 846751
Your emergency scratch codes are:
30601791
97878620
40666785
48464829
28132008
Do you want me to update your "/home/test/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
8. 苹果手机打开 App Store 搜索 Google Authenticator,安卓手机打开应用商店搜索身份验证器,搜索安装对应 App,如阿里云、华为云等都支持 MFA。
9. 手机打开安装的 App 后点击 开始设置
,下文以谷歌身份验证器举例:
10. 点击 扫描条形码
,扫描终端显示的二维码:
终端运行程序 google-authenticator
内容说明:
- 输入
y
基于时间方式生成验证口令 - 输入
n
使用计数器方式生成验证口令
Do you want authentication tokens to be time-based (y/n) y
- 显示二维码图片的地址,需要设法能够访问到谷歌,可以使用翻墙,或者寻找暂未被中国长城防火墙屏蔽的谷歌公网IP地址,然后修改系统 hosts 文件地址映射:
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/test@sre-test%3Fsecret%3DBETES4PY5MQH7GW2WBR4YXJEBE%26issuer%sre-test
【此处为二维码图片】
- 若未显示二维码图片,生成的谷歌二维码图片地址浏览器亦无法访问,则进入手机端 MFA App 设置后点选
输入提供的密钥
,添加自定义名称,填写执行google-authenticator
程序后打印输出内容符号:
之后的密钥亦可:
Your new secret key is: BETES4PY5MQH7GW2WBR4YXJEBE
- 临时生成的6位数字验证码,默认30秒到期:
Your verification code is 846751
- 生成的5组应急备用验证码,每个验证码只能使用一次,使用后立即失效。当多次使用手机App端显示的验证码无效时使用,保存备用:
Your emergency scratch codes are:
30601791
97878620
40666785
48464829
28132008