发布于

SSH 双因子认证。 —杜绝一切的SSH爆破

原文:https://www.bt.cn/bbs/thread-40582-1-1.html

我只是测试了Centos7  其他的系统版本我木有测试
一、安装谷歌认证

yum install google-authenticator  -y

二、设置SSH的配置

2.1

设置/etc/pam.d/sshd

[root@localhost ~]# vim /etc/pam.d/sshd
  1. auth required pam_google_authenticator.so

    #在第一行(即auth required pam_sepermit.so的下一行)添加该语句

复制代码

2.2设置/etc/ssh/sshd_config

ChallengeResponseAuthentication yes

#找到相应的参数,修改其选项为yes

复制代码

2.3 重启ssh 服务

[root@localhost ~]# systemctl restart sshd

三、设置谷歌认证

[root@localhost ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost%3Fsecret%3DX7GNO4B5NVYYYFI747A4UOLFR4%26issuer%3Dlocalhost
复制代码

Your new secret key is: X7GNO4B5NVYYYFI747A4UOLFR4
Your verification code is 968659
Your emergency scratch codes are:
  22394869
  95632253
  87095313
  80140198
  71922478


Do you want me to update your "/root/.google_authenticator" file? (y/n) y


Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y


By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y


If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
复制代码

这里只要一路按Y 就可以了

四、安装谷歌认证


五、Windows 登陆


这里使用的Xshell


然后点击确定,后面点登陆

六、Linux 登陆

[root@localhost ~]# ssh 192.168.1.191
The authenticity of host '192.168.1.191 (192.168.1.191)' can't be established.
ECDSA key fingerprint is SHA256:dX8t6SUvwVX9/IzwSrP6Zf4Zx8T14IKS5myTTeow3D4.
ECDSA key fingerprint is MD5:5e:d6:e2:73:74:f6:44:a0:e2:e2:81:6a:4b:3f:c3:b9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.191' (ECDSA) to the list of known hosts.
Verification code:
Password:
Last login: Mon Nov 25 17:32:27 2019 from 192.168.20.159

复制代码

这里是先输入验证码然后再输入密码的
END 完结