# 20190227

{% embed url="<https://kenwu0310.wordpress.com/2016/12/09/centos-7-ssh-%E9%9B%99%E5%9B%A0%E7%B4%A0%E8%AA%8D%E8%AD%89-using-google-authenticator/>" %}

&#x20;**下載google-authenticator-libpam**

**#**&#x67;it clone <https://github.com/google/google-authenticator-libpam>

&#x20;**安裝 Development Tools**

```
# yum groupinstall "Development Tools"
```

下載完記得先到google-authorenticator-libpam的目錄下

```
./bootstrap.sh
./configure
make
sudo make install
```

如果出現：

```
configure: error: Unable to find the PAM library or the PAM header files
```

請安裝此套件後，重新執行./configure：

```
# yum install pam-devel
```

如果沒有特別指定，pam\_google\_authenticator.so會在/usr/local/lib/security/目錄中\
或是直接尋找

```
# find / -name pam_google_authenticator.so -type f
```

將其移動或複製到/usr/lib64/security/

```
# mv /usr/local/lib/security/pam_google_authenticator.* /usr/lib64/security/
```

**修改sshd\_config與pam設定：**

```
# vim /etc/pam.d/sshd
```

於最後面加入以下設定值：

```
auth required pam_google_authenticator.so nullok
```

nullok的作用是讓未設定google-auth的Account\
能夠單次認證登入，可自行考量實際環境變更此參數

將sshd\_config中ChallengeResponseAuthentication改為yes

```
# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
# systemctl restart sshd
```

**為Account設定Google-Authenticator：**\
登入需要設定的帳號，執行如下圖

```
# google-authenticator
```

![](https://1005948644-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZgzp55XQBZ7U2SrFtZ%2F-LZhgJuo6seYHxZyw9LT%2F-LZhiQ4VI_aN42nCZt5U%2Fimage.png?alt=media\&token=260f314a-5362-41a3-ad3a-6c07273792eb)

開啟手機APP google authorenticator

掃描後的畫面

![](https://1005948644-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZgzp55XQBZ7U2SrFtZ%2F-LZhgJuo6seYHxZyw9LT%2F-LZhkmJY2Z8oBcj1dGZ6%2Fimage.png?alt=media\&token=8b62b397-6886-498c-a690-6a8b3350fc17)

成功後回到虛擬機上輸入認證碼

認證完重啟ssh

\#systemctl restart sshd

![](https://1005948644-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZgzp55XQBZ7U2SrFtZ%2F-LZhgJuo6seYHxZyw9LT%2F-LZhjb00cUvDM-lJrOXe%2Fimage.png?alt=media\&token=f414e4d8-a8e5-4782-b757-d9d7990b7e08)

在windows上開始puTTY

輸入虛擬機的IP

![](https://1005948644-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZgzp55XQBZ7U2SrFtZ%2F-LZhgJuo6seYHxZyw9LT%2F-LZhlgSBGdhU71aJ_Rzs%2Fimage.png?alt=media\&token=cfddced0-56fe-4b2d-bcb0-178ece144dbe)

![](https://1005948644-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZgzp55XQBZ7U2SrFtZ%2F-LZhgJuo6seYHxZyw9LT%2F-LZhmMXn2Gka8yg4Hjs1%2Fimage.png?alt=media\&token=78e66587-0e3a-4ba9-8fb5-a920f0522a8d)

假如認證碼輸入後出現了Access denied

![](https://1005948644-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZgzp55XQBZ7U2SrFtZ%2F-LZhgJuo6seYHxZyw9LT%2F-LZhm96tYMLutSd0wDd2%2Fimage.png?alt=media\&token=d89a2aaa-d5c9-4120-ae85-d4d146f82922)

\#vim /etc/selinux/config

將SELINUX=enforcing修改成SELINUX=disabled

![](https://1005948644-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZgzp55XQBZ7U2SrFtZ%2F-LZhgJuo6seYHxZyw9LT%2F-LZhoPh0Xgv68OyPIobG%2Fimage.png?alt=media\&token=793d7291-21f3-4187-97c4-69b415525abe)

將內部防火牆關閉

\#sudo systemctl stop firewalld.service

\#sudo systemctl disable firewalld.service

暫時關閉功能(0:off/1:on)

\#sudo setenforce 0

檢查功能有無執行

\#sudo getenforce                       permissive

最後記得在重啟ssh

\#systemctl restart sshd


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cf337188.gitbook.io/01/20180227.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.