ssh 登錄驗證:使用公鑰和谷歌認證
server 端 配置文件
Port 3208 Protocol 2 ListenAddress 0.0.0.0 SyslogFacility AUTHPRIV RSAAuthentication yes PubkeyAuthentication yes PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication no #是否在用戶退出登錄後自動銷毀用戶憑證緩存 GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding no UseDNS no ClientAliveInterval 60 Subsystem sftp /usr/libexec/openssh/sftp-server
client端配置文件
Port 3208 Protocol 2 ListenAddress ip SyslogFacility AUTHPRIV PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding no UseDNS no ClientAliveInterval 60 Subsystem sftp /usr/libexec/openssh/sftp-server
1.生成公鑰與私鑰
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/client/.ssh/id_rsa): #此處直接按回車即可 Created directory '/home/client/.ssh'. Enter passphrase (empty for no passphrase): #此處直接按回車即可 Enter same passphrase again: #此處直接按回車即可 Your identification has been saved in /home/client/.ssh/id_rsa. Your public key has been saved in /home/client/.ssh/id_rsa.pub.
2. 將公鑰文件追加到server端用戶目錄的./ssh/authorized_keys中 ,.ssh目錄權限必須是0700
cat id_rsa.pub >> authorized_keys chmod 600 authorized_keys
3.server 端 和client 端 無密碼登錄
scp ./id_rsa.pub [email protected]:/home/sweet/.ssh/authorized_keys #注意一下目標機的authorized_keys的權限是-rw-r--r--,如果不是需要執行chmod 644 authorized_keys修改文件的權限
谷歌驗證器
安裝GOOGLE-AUTHENTICATOR驗證器 1.安裝epel源 rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm 2.安裝git級二維碼工具 yum install -y git qrencode 3.安裝開發包工具 yum groupinstall -y "Development Tools" pam-devel 4.安裝google-authenticator git clone https://github.com/google/google-authenticator.git cd google-authenticator/libpam/ sh bootstrap.sh ./configure && make && make install cp -v /usr/local/lib/security/pam_google_authenticator.so /lib64/security/ 5.生成基於計數的認證token(可以忽略時間錯誤) google-authenticator(n,y,y,y) 6.更改ssh級pam設置 ## 修改PAM vi /etc/pam.d/sshd auth required pam_google_authenticator.so ## 修改SSH配置 ChallengeResponseAuthentication yes UsePAM yes service sshd restart 修改ssh的鑒權方式,改為鍵盤交互。 注意: 這裡要把應急驗證碼記錄下,防止驗證壞掉以後無法登陸,也可以把ssh的公鑰下載下來做備用登陸方式
http://xxxxxx/Linuxjc/1146681.html TechArticle
