通过Google Authenticator开启VPS在SSH登陆时的两步验证,可以有效对抗暴力破解。本文是在CentOS 6 64位系统的VPS上开启SSH登陆的两步验证。首先需要先在手机上安装好Google authenticator,常见的Android和IOS手机都是支持的。
主要参考:
Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7
详细步骤:
1 首先安装EPLE源:
Google authenticator位于EPLE源中,可以不用再去编译安装了。
yum install epel-release
2.安装Google authenticator
2.1 使用yum安装法:
yum install google-authenticator
同意导入GPG key即可:
Importing GPG key 0x0608B895:
Userid : EPEL (6) <epel@fedoraproject.org>
Package: epel-release-6-8.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]:y
2.2 使用rpm安装法:
有些小内存(比如64M)的VPS,会因为内存不足使得yum命令中途被killed。那么可以使用rpm 命令来手动安装Google authenticator。
下载:
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm
安装:
rpm -ivh google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm
3 配置Google authenticator
在VPS上运行如下命令:
google-authenticator
出现
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost.localdomain%3Fsecret%3DDUO5MSLICSFHYCMV Your new secret key is: DUO5MSLICSFHYCMV Your verification code is 036197 Your emergency scratch codes are: 22188647 15985270 10493468 55754566 92756123 Do you want me to update your "~/.google_authenticator" file (y/n)
在浏览器中打开网址:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost.localdomain%3Fsecret%3DDUO5MSLICSFHYCMV
可以见到二维码,用手机的Google authenticator(身份验证器)程序扫描条形码,即会自动配置好。
如果扫描后手机未自动配置,则需要手动输入验证码(IOS)或输入提供的密钥(Android),在接下来的界面中,给账户起个名字,输入上面出现的密钥,如本例中的DUO5MSLICSFHYCMV,并默认基于时间的选项,确认即可。
将secret key(DUO5MSLICSFHYCMV)和5个应急码(emergency scratch codes)保存到安全的地方,备用。
接下来四个选项,全部选择y即可,有兴趣的自己去研究。
Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
4 修改pam设置
vi /etc/pam.d/sshd
在顶部加入一行:
auth required pam_google_authenticator.so
最后看起来是这样的:
#%PAM-1.0
auth required pam_google_authenticator.so
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
...
这里有个坑,原文是将这一行加在最后一行之下(Add the following line to the bottom of line),结果登陆的时候不出现验证码的输入框。但是加在第二行就可以了,可能的原因是原作者用的是CentOS 7 系统。
5 修改ssh设置
vi /etc/ssh/sshd_config
定位到:
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
将no改成yes,改完后是这样的:
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
6 重启ssh服务
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
7 退出SSH客户端,重新登陆进行验证,如下则成功:
login as: (此处输入登陆的用户名) Using keyboard-interactive authentication. Verification code:(这里输入手机端生成的验证码) Using keyboard-interactive authentication. Password:(这里输入登录的密码)