配置SSH私钥登录、谷歌身份验证

配置SSH私钥登录

useradd -d /home/test -m test
passwd testpwd

mkdir .ssh;cd .ssh
ssh-keygen -t rsa ###需要命名文件和设置密码
touch authorized_keys
cat id_rsa_test.pub >> authorized_keys

cd ..
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
chown -R user:user .ssh

###新服务器的话，需要修改ssh的配置文件，以允许秘钥登录，一般只需要设置一次
vim /etc/ssh/sshd_config
### 允许秘钥登录，可以先查看是否有以下两项，有则无需更改
cat >>/etc/ssh/sshd_config<<EOF
PubkeyAuthentication yes
RSAAuthentication yes
EOF

### 重启sshd
systemctl restart sshd

###尝试登陆
ssh -i rsa_file_name server_user@server_ip

谷歌身份验证

配置ssh服务调用google authenticator PAM插件

vim /etc/pam.d/sshd #编辑，在第一行增加以下代码

auth required pam_google_authenticator.so

保存退出

vim /etc/ssh/sshd_config #编辑

ChallengeResponseAuthentication yes #修改no为yes

保存退出

service sshd restart #重启ssh服务，使配置生效

生成二维码

注意：哪个账号需要动态验证码，请切换到该账号下操作

google-authenticator #运行此命令

Do you want authentication tokens to be time-based (y/n) y #提示是否要基于时间生成令牌，选择y

https://www.google.com/chart?xxxxxxxxx

Your new secret key is: xxxxxxxxxx

Your verification code is xxxxxxxx

Your emergency scratch codes are:
xxxxxxxxxx

#上面的网址为生成的二维码图形地址（需要翻墙才能打开），还会生成密钥，以及5个紧急验证码(当无法获取动态验证码时使用，注意：这5个验证码用一个就会少一个！请保存好！)

Do you want me to update your “/home/jss/.google_authenticator” file (y/n) y #提示是否要更新验证文件，选择y

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y #禁止使用相同口令

By default, tokens are good for 30 seconds and in order to compensate for

possible time-skew between the client and the server, we allow an extra

token before and after the current time. If you experience problems with poor

time synchronization, you can increase the window from its default

size of 1:30min to about 4min. Do you want to do so (y/n) n

#默认动态验证码在30秒内有效，由于客户端和服务器可能会存在时间差，可将时间增加到最长4分钟，是否要这么做：这里选择是n，继续默认30秒

If the computer that you are logging into isn’t hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n) y

#是否限制尝试次数，每30秒只能尝试最多3次，这里选择y进行限制