Centos7配置Google身份认证登录

centos7虚拟机

xshell远程连接工具

手机：轻网身份验证器APP

一. 配置yum源

[root@localhost ~]# yum install -y git automake libtool pam-devel bzip2 wget vim ntpdate

二.校对时间

[root@localhost ~]# timedatectl set-timezone Asia/Shanghai
[root@localhost ~]# ntpdate time.windows.com
11 Apr 16:41:16 ntpdate[25631]: step time server 20.189.79.72 offset -28798.998443 sec

三.下载工具包并解压

[root@localhost ~]# wget http://repository.timesys.com/buildsources/l/libpam-google-authenticator/libpam-google-authenticator-1.0/libpam-google-authenticator-1.0-source.tar.bz2
[root@localhost ~]# tar -xjvf libpam-google-authenticator-1.0-source.tar.bz2

四.编译安装

[root@localhost ~]# cd libpam-google-authenticator-1.0
[root@localhost ~]# make && make install

五.修改SSH服务的配置

[root@localhost ~]# echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
#修改sshd配置文件
[root@localhost ~]# vim /etc/ssh/sshd_config

#找到这项，把no改为yes，如下
	ChallengeResponseAuthentication yes           
#重启sshd服务
[root@localhost ~]# systemctl restart sshd

六.使用令牌工具生成登录密钥

[root@localhost libpam-google-authenticator-1.0]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost.localdomain%3Fsecret%3DMYELD5PIMAY2AZ2M
                                                                                  
                                                                                                                                                             
                                                                                  
#这里是二维码                                                                              
                                                                                  
                                                                                                                                                           
                                                                                
Your new secret key is: MYELD5PIMAY2AZ2M  #这是在不能扫描二维码的情况下用这个用户和密码来绑定手机
Your verification code is 164737          #这是密码
Your emergency scratch codes are:
  86333506              #这里五个密码，一个只能用一次
  39599830              #这个是在手机丢失情况下，紧急使用这个救命密码登录服务器的
  35041891
  15470727
  68282512

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
[root@localhost libpam-google-authenticator-1.0]# 

这里会弹出一个二维码，并问你是否更改相关设置，就一路输入yes就行，然后命令就i结束啦，然后使用轻网身份验证器APP扫码即可

此时重新登录系统会发现正常通过用户名密码会进不去，这时需要使用键盘输入用户身份认证

点确定会提示先输入用户密码，然后再输入手机端动态密码就成功进入啦。

如果多台机器绑定验证码登录的话，手机端可以修改备注名用来区分对应验证码对应的系统。

 、