20190227
ssh & google authorenticator
下載google-authenticator-libpam
#git clone https://github.com/google/google-authenticator-libpam
安裝 Development Tools
# yum groupinstall "Development Tools"
下載完記得先到google-authorenticator-libpam的目錄下
./bootstrap.sh
./configure
make
sudo make install
如果出現:
configure: error: Unable to find the PAM library or the PAM header files
請安裝此套件後,重新執行./configure:
# yum install pam-devel
如果沒有特別指定,pam_google_authenticator.so會在/usr/local/lib/security/目錄中 或是直接尋找
# find / -name pam_google_authenticator.so -type f
將其移動或複製到/usr/lib64/security/
# mv /usr/local/lib/security/pam_google_authenticator.* /usr/lib64/security/
修改sshd_config與pam設定:
# vim /etc/pam.d/sshd
於最後面加入以下設定值:
auth required pam_google_authenticator.so nullok
nullok的作用是讓未設定google-auth的Account 能夠單次認證登入,可自行考量實際環境變更此參數
將sshd_config中ChallengeResponseAuthentication改為yes
# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
# systemctl restart sshd
為Account設定Google-Authenticator: 登入需要設定的帳號,執行如下圖
# google-authenticator

開啟手機APP google authorenticator
掃描後的畫面

成功後回到虛擬機上輸入認證碼
認證完重啟ssh
#systemctl restart sshd

在windows上開始puTTY
輸入虛擬機的IP


假如認證碼輸入後出現了Access denied

#vim /etc/selinux/config
將SELINUX=enforcing修改成SELINUX=disabled

將內部防火牆關閉
#sudo systemctl stop firewalld.service
#sudo systemctl disable firewalld.service
暫時關閉功能(0:off/1:on)
#sudo setenforce 0
檢查功能有無執行
#sudo getenforce permissive
最後記得在重啟ssh
#systemctl restart sshd
Last updated
Was this helpful?