Centos7 SSH增加多因子验证(google-authenticator)

发表于 分类于 阅读次数: Disqus:

按照一些文章开启ssh的多因子验证,发现不起作用,参考了一些国外的文章才起作用,记录下。

安装

1
2
yum install epel-release
yum install google-authenticator

配置

google-authenticator

1
2
3
4
5
6
google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Do you want to do so? (y/n) y
Do you want to enable rate-limiting? (y/n) y

用2FA客户端(比如:Stratum - Authenticator APP)扫描二维码,保存

记得备份下/root/.google_authenticator文件

配置/etc/pam.d/sshd

1
2
3
4
5
#%PAM-1.0
## 添加 pam_google_authenticator.so
auth       required     pam_google_authenticator.so
## 注释掉 password-auth
#auth       substack     password-auth

#auth substack password-auth 注释掉很关键
很多文章中没有这一步!!!

配置/etc/ssh/sshd_config

1
2
3
4
5
6
# ChallengeResponseAuthentication设置为yes
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

# 添加一行
AuthenticationMethods publickey,password publickey,keyboard-interactive

AuthenticationMethods publickey,password publickey,keyboard-interactive新加的一行很关键
很多文章中没有这一步!!!

运行

systemctl restart sshd

1
2
3
ssh -p 22 root@xxxx
Verification code:
Last login: xxxxx

需要注意的是,默认情况下一个code最多只能验证3次。
验证不通过的话就等下一个code

参考文档

  1. https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-centos-7