#### ssh 二次认证
1) 安装依赖环境
yum install gcc wget pam-devel libpng-devel libtool
2) 安装二维码工具
yum install -y qrencode
3) 安装 google_authenticator (EPEL repo)
yum install google-authenticator -y
4) setup
<1> Using command line switch to the user you want to setup Google 2-step verification for
[root@test23 src]# su root
<2> Run the Google Authenticator script and answer yes (y) to all questions:
[root@test23 src]# google-authenticator
<3> 执行 google-authenticator 命令 会生成一张二维码 ,手机下载 google authenticator app 扫描上面的二维码(或者手动输入),这样就能实现 基于时间的 口令同步.同时在用户的家目录下 下面5个是万能钥匙 用一次少一个 .
<4> 设置 ssh 登陆认证方式,Edit the file /etc/pam.d/sshd,and add this line towards the top of the file:
# google authenticator
auth required pam_google_authenticator.so
<5>Next, edit the file /etc/ssh/sshd_config ,and change the ChallengeResponseAuthentication value to yes so it looks something like:
# google authenticator
ChallengeResponseAuthentication yes
<6> 重启 sshd 服务
#### 普通用户su到root用户二次认证
[root@test23 redhat]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
# google authenticator
auth required pam_google_authenticator.so
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
#### 普通用户su到root用户不需要输入系统密码认证
[root@test23 redhat]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
# google authenticator
auth required pam_google_authenticator.so
auth [success=ignore default=1] pam_succeed_if.so user = root
auth sufficient pam_succeed_if.so use_uid user = redhat
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
其中:
auth [success=ignore default=1] pam_succeed_if.so user = root
auth sufficient pam_succeed_if.so use_uid user = redhat
第一行的意思是 要 su 到哪个用户不需要输入密码
第二行的意思是 要从哪个用户 su 到一行时候才不要密码
由于 auth required pam_google_authenticator.so 这一行在前面,所有 本列中从 redhat su 到 root ,不需要输入 root 的系统密码, 但是需要输入 google 的动态口令.
如果说想指定和多用户 su 到 root 都不需要 root 密码,只需输入动态口令,有两种方式:
1) 把上面的两行改成如下
auth [success=ignore default=1] pam_succeed_if.so user = root
auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople
意思是把 需要的普通用户都加入一个 allowedpeople 用户组里, 对该用户组授权!
2) 见下面是用 普通用户 sudo 到 root 用户不需要输入系统密码认证
#### 普通用户 sudo 到 root 用户不需要输入系统密码认证
1) 切换到普通用户(redhat) 执行google-authenticator
2) 此普通用户(redhat)在 sudo 的配置文件为
redhat ALL=(ALL) /bin/su - root
3) 修改 sudo 的pam 文件如下
[root@test23 pam.d]# cat /etc/pam.d/sudo
#%PAM-1.0
# google authenticator
#auth required pam_radius_auth.so
auth required pam_google_authenticator.so
#auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
4) 普通用户通过 google 口令 sudo 到 root 用户
[redhat@test23 ~]$ sudo su - root
Verification code:
[root@test23 ~]#
另外一种方式 见 Radius
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。