按照一些文章开启ssh的多因子验证,发现不起作用,参考了一些国外的文章才起作用,记录下。
安装 1 2 yum install epel-release yum install google-authenticator
配置 google-authenticator 1 2 3 4 5 6 google-authenticator Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/root/.google_authenticator" file? (y/n) y your chances to notice or even prevent man-in-the-middle attacks (y/n) y Do you want to do so? (y/n) y Do you want to enable rate-limiting? (y/n) y
用2FA客户端(比如:Stratum - Authenticator APP)扫描二维码,保存
记得备份下/root/.google_authenticator文件
配置/etc/pam.d/sshd 1 2 3 4 5 # %PAM-1.0 # auth required pam_google_authenticator.so # # auth substack password-auth
#auth substack password-auth 注释掉很关键
配置/etc/ssh/sshd_config 1 2 3 4 5 6 # ChallengeResponseAuthentication设置为yes ChallengeResponseAuthentication yes # ChallengeResponseAuthentication no # 添加一行 AuthenticationMethods publickey,password publickey,keyboard-interactive
AuthenticationMethods publickey,password publickey,keyboard-interactive新加的一行很关键
运行 systemctl restart sshd
1 2 3 ssh -p 22 root@xxxx Verification code: Last login: xxxxx
需要注意的是,默认情况下一个code最多只能验证3次。
参考文档
https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-centos-7