Shulou(Shulou.com)06/01 Report--

1. Dependent package installation:

Yum-y install mercurial pam-devel

2. Install Google Authenticator:

Git clone https://code.google.com/p/google-authenticator/cd google-authenticator/google-authenticator/libpam make & & make install [libpam] # make installcp pam_google_authenticator.so / lib64/securitycp google-authenticator/ usr/local/bin

3. Edit ssh-related configuration files (authentication, etc.)

Call the google-authenticator module when SSH logs in, and edit and add the following:

Vi / etc/pam.d/sshdauth required pam_google_authenticator.so

Modify the SSH configuration file:

Vim / etc/ssh/sshd_config

Add or modify the following:

ChallengeResponseAuthentication yes

UsePAM yes

/ etc/init.d/sshd restart

4. Then use the Google-authenticator command to create a random password as follows (default is y):

[root@clone2 libpam] # google-authenticator

Do you want authentication tokens to be time-based (YBO) y

Https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@clone2%3Fsecret%3DZSQBUSM3WEXZDQRR

Your new secret key is: ZSQBUSM3WEXZDQRR

Your verification code is 198178

Your emergency scratch codes are:

16050151

22929943

74444984

23544107

20880478

Do you want me to update your "/ root/.google_authenticator" file (yPao) y

Do you want to disallow multiple uses of the same authentication

Token? This restricts you to one login about every 30s, but it increases

Your chances to notice or even prevent man-in-the-middle attacks (YBO) y

By default, tokens are good for 30 seconds and in order to compensate for

Possible time-skew between the client and the server, we allow an extra

Token before and after the current time. If you experience problems with poor

Time synchronization, you can increase the window from its default

Size of 1:30min to about 4min. Do you want to do so (YBO) y

If the computer that you are logging into isn't hardened against brute-force

Login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (YBO) y

Among them

Https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@clone2%3Fsecret%

The above links can be scanned and configured directly with the mobile client.

Then the google-authenticator client can be installed on the phone, and the password can be displayed in real time by entering the private key.

In the future, when you log in remotely, the verification code will pop up, and you need to enter the dynamic verification code generated in real time on the client before you can log in.

§Note: when logging in to the terminal, secureCRT or xshell should not log in directly by password, but should choose = = keyboard interaction = = login by authentication

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.