20190227

ssh & google authorenticator

https://kenwu0310.wordpress.com/2016/12/09/centos-7-ssh-%E9%9B%99%E5%9B%A0%E7%B4%A0%E8%AA%8D%E8%AD%89-using-google-authenticator/kenwu0310.wordpress.com

下載google-authenticator-libpam

#git clone https://github.com/google/google-authenticator-libpam

安裝 Development Tools

# yum groupinstall "Development Tools"

下載完記得先到google-authorenticator-libpam的目錄下

./bootstrap.sh
./configure
make
sudo make install

如果出現：

configure: error: Unable to find the PAM library or the PAM header files

請安裝此套件後，重新執行./configure：

# yum install pam-devel

如果沒有特別指定，pam_google_authenticator.so會在/usr/local/lib/security/目錄中 或是直接尋找

# find / -name pam_google_authenticator.so -type f

將其移動或複製到/usr/lib64/security/

# mv /usr/local/lib/security/pam_google_authenticator.* /usr/lib64/security/

修改sshd_config與pam設定：

# vim /etc/pam.d/sshd

於最後面加入以下設定值：

auth required pam_google_authenticator.so nullok

nullok的作用是讓未設定google-auth的Account 能夠單次認證登入，可自行考量實際環境變更此參數

將sshd_config中ChallengeResponseAuthentication改為yes

# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
# systemctl restart sshd

為Account設定Google-Authenticator： 登入需要設定的帳號，執行如下圖

# google-authenticator

開啟手機APP google authorenticator

掃描後的畫面

成功後回到虛擬機上輸入認證碼

認證完重啟ssh

#systemctl restart sshd

在windows上開始puTTY

輸入虛擬機的IP

假如認證碼輸入後出現了Access denied

#vim /etc/selinux/config

將SELINUX=enforcing修改成SELINUX=disabled

將內部防火牆關閉

#sudo systemctl stop firewalld.service

#sudo systemctl disable firewalld.service

暫時關閉功能(0:off/1:on)

#sudo setenforce 0

檢查功能有無執行

#sudo getenforce permissive

最後記得在重啟ssh

#systemctl restart sshd