Home > Article > Operation and Maintenance > Install google-authenticator on the bastion machine
The company’s online machines do not allow users to log in at will, so developers cannot log in to production machines at will. So I plan to use the google-auth verification method.
If the google-auth method.
Build google-authenticator:
Building this is very simple, as follows:
git clone download the latest version of google auth.
cd google-authenticator-libpam/
./bootstrap.sh
./configure && make && make install
ln -s /usr/ local/lib/security/pam_google_authenticator.so /lib64/security/pam_google_authenticator.so
Modify /etc/pam.d/sshd,
#Add a line at the top "auth required pam_google_authenticator.so "
#This configuration can be more complicated, add some parameters, see libpam/README
#Note: If you encounter a situation where you still need to enter a password, change it to "auth sufficient pam_google_authenticator.so" and try it.
Modify /etc/ssh/sshd_config
Change the ChallengeResponseAuthentication option from no to yes
Change UsePAM yes
service sshd restart
Generate key
$ google-authenticator #Note: The user who runs this command is the user who needs to log in, not the root user
Do you want authentication tokens to be time-based (y/n) y ( Confirmation: time-based authentication token)
[The address where the QR code was generated, the QR code, the key plain text, and the emergency code will be displayed here]
Do you want me to update your "/var/www/. google_authenticator" file (y/n) y (Confirm: Update configuration file)
……
size of 1:30min to about 4min. Do you want to do so (y/n) n ( The token validity period is 1.5min, choose y to get 4min)
......
Do you want to enable rate-limiting (y/n) y (only three attempts are allowed within 30s)
Scan the QR code in the app, or enter the key manually, and you will see that the token is updated every 30 seconds
Try to log in
$ ssh localhost
Verification code: [Enter the verification code 】
Password: 【Enter password】
Supplement:
But at that time, Google Authenticator was simply added. In actual use, It is too cumbersome to enter both verification and password, so when building our springboard machine, we chose the solution of publickey + authenticator, and only need to enter the verification code once. But it’s a lot to ask for here. For example, the version of openssh is greater than 6.2. If not, AuthenticationMethods cannot be used. The best way is to use the centos7 version (it has been verified that it can be used). The centos6.5 test cannot be used (it should be because I am not good at technology).
The specific configuration scheme has not changed much, mainly due to the use of the new AuthenticationMethods parameter of SSH 6.2+, which can specify a series of authentication methods. The specific configuration is as follows:
By the way, I want to complain, this Linux thing is really frustrating. When I configured the springboard backup machine today, it was exactly the same configuration. It was wrong to copy it. Although only publickey and keyboard-interactive were specified in the configuration, Every time after entering the verification code, I am still required to enter the password. After struggling for several hours, I found out that "auth required pam_google_authenticator.so" is no longer appropriate and needs to be changed to "auth sufficient pam_google_authenticator.so". ", so that the authentication process will end after entering the verification code (sufficient implementation adds a break? What the hell.) (Thanks@)
Finally, a reminderUse SecureCRT Classmate , you need to select only "Keyboard Interactive" in Authentication in Session Options -> Connection -> SSH2, otherwise you will not be able to log in normally.
Error: configure: error: Unable to find the PAM library or the PAM header files
Method: yum install -y pam-devel
Quote:
The above is the detailed content of Install google-authenticator on the bastion machine. For more information, please follow other related articles on the PHP Chinese website!