大佬教程收集整理的这篇文章主要介绍了centos6.5使用Google auth进行双因子认证,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
系统:centos6.5 x86_64
[[email protected] ~]# uname -a
Linux uu 2.6.32-642.el6.x86_64 #1 SMP Wed Apr 13 00:51:26 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
要求:
关闭SELinux
1.7.1版本过低,现在github不支持1.7.1的git 客户端的下载了,只有从网上下载高一点的版本,并安装。
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel -y yum install gcc perl-ExtUtils-MakeMaker -y yum remove git -y yum update -y nss curl libcurl cd /usr/src wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz wget https://www.kernel.org/pub/software/scm/git/git-2.1.2.tar.gz --no-check-certificate tar xzf git-2.1.2.tar.gz cd git-2.1.2 make prefix=/usr/local/git all make prefix=/usr/local/git install echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc source /etc/bashrc #配置git不认证https git config --global http.sslVerify false
yum install -y git automake libtool pam-devel -y git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/ ./bootstrap.sh ./configure make && make install cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/
这一步可不做,没有图形@L_607_9@就手动输入程序给出的密钥。
yum install -y git qrencode
在/etc/pam.d/sshd里添加下面这条【#放在auth include password-auth之前】
vim /etc/ssh/sshd_config
passwordAuthentication yes
ChALLENgeResponseAuthentication yes
UsePAM yes
/etc/init.d/sshd restart
google-authenticator
有2种方式:
1、用手机谷歌验证器扫描这个@L_607_9@即可添加主机。
APP在应用市场搜索谷歌认证器。
可根据需要添加多个客户端。
输入手机动态口令
[[email protected] ~]# google-authenticator Do you want authentication tokens to be time-based (y/n) y Warning: pasTing the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DJQPBXCQ5UjeARJDKW56QG7PX5M%26issuer%3Duu
Your new secret key is: JQPBXCQ5UjeARJDKW56QG7PX5M
Enter code from app (-1 to skip): 441989
Code confirmed
Your emergency scratch codes are:
15017326
13268423
41466235
66165819
90381302
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This reStricts you to one login about every 30s,but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default,a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization,you can increase the window
from its default size of 3 permitted codes (one prevIoUs code,the current
code,the next codE) to 17 permitted codes (the 8 prevIoUs codes,and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn‘t hardened against brute-force
login attempts,you can enable rate-limiTing for the authentication module.
By default,this limits attackers to no more than 3 login attempts every 30s.
上述共需回答5个y
第2个:是否更新你的google认证文件,由于第一次设置,所以一定选y
第3个:是否禁止口令多用,这里选择y,禁止它,以防止中间人欺骗。
第4个:默认情况,1个口令的有效期是30s,这里是为了防止主机时间和口令客户端时间不一致,设置的误差,可以选择y,也可选n,看要求严谨程度
第5个:是否打开尝试次数限制,默认情况,30s内不得超过3次登陆测试,防止别人暴力破解。
并且上面这些设置将被存储在用户的?/.google_authenticator文件中,emergency scratch codes 中的5个代码是紧急代码,务必牢记,这是在你的动态口令无法使用的情况下使用的,记住,用一个失效一个。后期可以登陆上去后,重新生成!!
以上是大佬教程为你收集整理的centos6.5使用Google auth进行双因子认证全部内容,希望文章能够帮你解决centos6.5使用Google auth进行双因子认证所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。