Shulou(Shulou.com)06/01 Report--

Environment:

CentOS 6.3 x86_64

Installation of basic components:

Yum-y install wget gcc make pam-devel libpng-devel

First, install qrencode

On Linux, there is a command line tool called QrenCode that can easily generate the QR code for us, and the google authenticator command line generates the QR code to call it.

Wget http://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gztar zxf qrencode-3.3.1.tar.gzcd qrencode-3.3.1./configure-prefix=/usr & & make & & make install

Install the google authenticator PAM plug-in

Wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2tar jxf libpam-google-authenticator-1.0-source.tar.bz2cd libpam-google-authenticator-1.0make & & make install

3. Configure google authenticator

Google Authenticator is actually an open source solution, so it can be used not only on Google's website, but also elsewhere. However, on Google's website, you will be directly given a QR code to scan, while your own configuration of Google Authenticator will have to be generated by yourself.

First of all, you need to switch to the corresponding user. If there is only one user on the VPS, you can naturally omit this step, but for multi-user VPS, you need to switch to the corresponding user first, and then run the google-authenticator command, and the program will ask you to Do you want authentication tokens to be time-based (yzone). To the effect that the CAPTCHA (and TOTP) is generated based on time, select y here. The result is something like this:

This QR code is naturally scanned for Google Authenticator applications, or you can visit the link above and scan it with the QR code generated by Google Chart API. You can also enter it manually according to the text key under the QR code. When Google Authenticator recognizes the account, the validator is configured. Several emergency codes are also provided under the text key, which can be kept properly if the phone is lost and so on.

At this time, although Google Authenticator is running, but the relevant settings have not been saved, the program will ask you Do you want me to update your "/ root/.google_authenticator" file (yzone) (whether to write the configuration to the configuration file of the home directory). Of course, the answer is y. Will ask again.

Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (YPao)

Whether to prohibit multiple use of a password is, of course, the answer y. The next question is

By default, tokens are good for 30 seconds and in order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems with poortime synchronization, you can increase the window from its defaultsize of 1:30min to about 4min. Do you want to do so (YBO)

The main idea is to ask whether to turn on time tolerance to prevent authentication failure due to the large time difference between the client and the server. This can be done according to the actual situation. My ipad time is very accurate (synchronized with the network), so answer n, if some tablets are not connected to the Internet, you can answer y to prevent time errors from causing authentication failures. Another question is

If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (YBO)

Choose whether to turn on the limit on the number of attempts (to prevent violence), and naturally answer y.

When the question is answered, there is an extra .Google _ authenticator file in the home directory (the default permission is 400). At this time, the client and server have matched each other, and you don't have to run the google-authenticator command any more, otherwise a set of passwords will be generated again.

Configure SSH authentication

At this point, although Google Authenticator has been configured, no program will call it. So you need to set up SSH login to authenticate with it.

Open / etc/pam.d/sshd file, add

Auth required pam_google_authenticator.so

This line, save. Open the / etc/ssh/sshd_config file again and find the

ChallengeResponseAuthentication no

Change it to

ChallengeResponseAuthentication yes

And save it. Finally, enter

Service ssh restart

To restart the SSH service to apply the new configuration.

This is what happens if you log in with SSH at this time:

It worked.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.