Shulou(Shulou.com)06/01 Report--

The basic principles are shown in the figure above:

After entering the code code, the client can enter the password of the server and verify the account before entering the server.

The implementation is as follows:

1. Install the required components

# yum-y install mercurial pam-devel

two。 Install qrencode, on Linux, there is a command line tool called QrenCode that can easily generate the QR code for us, and the google authenticator command line generates the QR code to call it.

# wget http://fukuchi.org/works/qrencode/qrencode-3.3.1.tar.gz

# tar zxfqrencode-3.3.1.tar.gz

# cdqrencode-3.3.1

#. / configure--prefix=/usr & & make & & make install

3. Install GoogleAuthenticator

# wget-- no-check-certificate https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

# tar jxvf libpam-google-authenticator-1.0-source.tar.bz2

# cd libpam-google-authenticator-1.0

# make & & make install

4. Call the google-authenticator module when SSH logs in

Vim / etc/pam.d/sshd

On the first line, add the following:

Auth required pam_google_authenticator.so

Vim / etc/ssh/sshd_config

ChallengeResponseAuthenticationyes # start this line

UsePAM yes # add this line

Service sshd restart

5. Generate google-authenticator configuration

Google-authenticator

Do youwant authentication tokens to be time-based (YBO) y

Https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@node3.mengtao.com%3Fsecret%3DABEXG5K6CVB56BXY

# this URL is the generated QR code, which is scanned by the client

Your newsecret key is:node3.mengtao.com

Yourverification code is 582849

Youremergency scratch codes are:

30776626

14200155

80795568

23936997

21919909

# the numbers in the above lines are emergency codes

Do youwant me to update your "/ root/.google_authenticator" file (yPao) y

# Update configuration file

Do youwant to disallow multiple uses of the same authentication

Token?This restricts you to one login about every 30s, but it increases

Yourchances to notice or even prevent man-in-the-middle attacks (YBO) y

# multiple use of one password is prohibited

Bydefault, tokens are good for 30 seconds and in order to compensate for

Possibletime-skew between the client and the server, we allow an extra

Tokenbefore and after the current time. If you experience problems with poor

Timesynchronization, you can increase the window from its default

Size of1:30min to about 4min. Do you want to do so (yPao) n

# time error between client and server

If thecomputer that you are logging into isn't hardened against brute-force

Loginattempts, you can enable rate-limiting for the authentication module.

Bydefault, this limits attackers to no more than 3 login attempts every 30s.

Do youwant to enable rate-limiting (YBO) y

# limit the number of times

You can enter a serial code or scan a QR code on the device.

6. Login authentication

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.