Install google-authenticator on the bastion machine

The company’s online machines do not allow users to log in at will, so developers cannot log in to production machines at will. So I plan to use the google-auth verification method.

If the google-auth method.

Build google-authenticator:

Building this is very simple, as follows:

git clone download the latest version of google auth.

cd google-authenticator-libpam/

./bootstrap.sh

./configure && make && make install

ln -s /usr/ local/lib/security/pam_google_authenticator.so /lib64/security/pam_google_authenticator.so

Modify /etc/pam.d/sshd,

　#Add a line at the top "auth required pam_google_authenticator.so "
  #This configuration can be more complicated, add some parameters, see libpam/README
  #Note: If you encounter a situation where you still need to enter a password, change it to "auth sufficient pam_google_authenticator.so" and try it.

Modify /etc/ssh/sshd_config

Change the ChallengeResponseAuthentication option from no to yes

Change UsePAM yes

service sshd restart

Generate key

　$ google-authenticator #Note: The user who runs this command is the user who needs to log in, not the root user
Do you want authentication tokens to be time-based (y/n) y ( Confirmation: time-based authentication token)
[The address where the QR code was generated, the QR code, the key plain text, and the emergency code will be displayed here]
Do you want me to update your "/var/www/. google_authenticator" file (y/n) y (Confirm: Update configuration file)
　……
　size of 1:30min to about 4min. Do you want to do so (y/n) n ( The token validity period is 1.5min, choose y to get 4min)
　......
　Do you want to enable rate-limiting (y/n) y (only three attempts are allowed within 30s)

Scan the QR code in the app, or enter the key manually, and you will see that the token is updated every 30 seconds

Try to log in
$ ssh localhost
Verification code: [Enter the verification code 】
Password: 【Enter password】

Supplement:

But at that time, Google Authenticator was simply added. In actual use, It is too cumbersome to enter both verification and password, so when building our springboard machine, we chose the solution of publickey + authenticator, and only need to enter the verification code once. But it’s a lot to ask for here. For example, the version of openssh is greater than 6.2. If not, AuthenticationMethods cannot be used. The best way is to use the centos7 version (it has been verified that it can be used). The centos6.5 test cannot be used (it should be because I am not good at technology).

The specific configuration scheme has not changed much, mainly due to the use of the new AuthenticationMethods parameter of SSH 6.2+, which can specify a series of authentication methods. The specific configuration is as follows:

Quote

#By default, publickey verification is required first, and then the verification code
AuthenticationMethods publickey,keyboard-interactive

#For the specified IP, only publickey verification is required
Match Address 10.0.0.4
AuthenticationMethods publickey

#You can also specify that the user only needs publickey verification
#Match User XXX
#AuthenticationMethods publickey

By the way, I want to complain, this Linux thing is really frustrating. When I configured the springboard backup machine today, it was exactly the same configuration. It was wrong to copy it. Although only publickey and keyboard-interactive were specified in the configuration, Every time after entering the verification code, I am still required to enter the password. After struggling for several hours, I found out that "auth required pam_google_authenticator.so" is no longer appropriate and needs to be changed to "auth sufficient pam_google_authenticator.so". ", so that the authentication process will end after entering the verification code (sufficient implementation adds a break? What the hell.) (Thanks@)


Finally, a reminderUse SecureCRT Classmate , you need to select only "Keyboard Interactive" in Authentication in Session Options -> Connection -> SSH2, otherwise you will not be able to log in normally.

　Error: configure: error: Unable to find the PAM library or the PAM header files

　Method: yum install -y pam-devel

　

Quote:

　　

The above is the detailed content of Install google-authenticator on the bastion machine. For more information, please follow other related articles on the PHP Chinese website!