SSH 双因子认证。 ---杜绝一切的SSH爆破

我只是测试了Centos7  其他的系统版本我木有测试
一、安装谷歌认证

yum install google-authenticator  -y




二、设置SSH的配置

2.1 设置/etc/pam.d/sshd

[root@localhost ~]# vim /etc/pam.d/sshd

1. auth required pam_google_authenticator.so        #在第一行（即auth required pam_sepermit.so的下一行）添加该语句

复制代码

2.2 设置/etc/ssh/sshd_config

1. 
   
2. ChallengeResponseAuthentication yes        #找到相应的参数，修改其选项为yes

复制代码

2.3 重启ssh 服务
[root@localhost ~]# systemctl restart sshd


三、设置谷歌认证

1. [root@localhost ~]# google-authenticator
   
2. 
   
3. Do you want authentication tokens to be time-based (y/n) y
   
4. Warning: pasting the following URL into your browser exposes the OTP secret to Google:
   
5.   https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost%3Fsecret%3DX7GNO4B5NVYYYFI747A4UOLFR4%26issuer%3Dlocalhost
   

复制代码

1. Your new secret key is: X7GNO4B5NVYYYFI747A4UOLFR4
   
2. Your verification code is 968659
   
3. Your emergency scratch codes are:
   
4.   22394869
   
5.   95632253
   
6.   87095313
   
7.   80140198
   
8.   71922478
   
9. 
   
10. Do you want me to update your "/root/.google_authenticator" file? (y/n) y
    
11. 
    
12. Do you want to disallow multiple uses of the same authentication
    
13. token? This restricts you to one login about every 30s, but it increases
    
14. your chances to notice or even prevent man-in-the-middle attacks (y/n) y
    
15. 
    
16. By default, a new token is generated every 30 seconds by the mobile app.
    
17. In order to compensate for possible time-skew between the client and the server,
    
18. we allow an extra token before and after the current time. This allows for a
    
19. time skew of up to 30 seconds between authentication server and client. If you
    
20. experience problems with poor time synchronization, you can increase the window
    
21. from its default size of 3 permitted codes (one previous code, the current
    
22. code, the next code) to 17 permitted codes (the 8 previous codes, the current
    
23. code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
    
24. between client and server.
    
25. Do you want to do so? (y/n) y
    
26. 
    
27. If the computer that you are logging into isn't hardened against brute-force
    
28. login attempts, you can enable rate-limiting for the authentication module.
    
29. By default, this limits attackers to no more than 3 login attempts every 30s.
    
30. Do you want to enable rate-limiting? (y/n) y
    

复制代码

这里只要一路按Y 就可以了


四、安装谷歌认证









五、Windows 登陆


这里使用的Xshell




然后点击确定，后面点登陆




六、Linux 登陆

1. [root@localhost ~]# ssh 192.168.1.191
   
2. The authenticity of host '192.168.1.191 (192.168.1.191)' can't be established.
   
3. ECDSA key fingerprint is SHA256:dX8t6SUvwVX9/IzwSrP6Zf4Zx8T14IKS5myTTeow3D4.
   
4. ECDSA key fingerprint is MD5:5e:d6:e2:73:74:f6:44:a0:e2:e2:81:6a:4b:3f:c3:b9.
   
5. Are you sure you want to continue connecting (yes/no)? yes
   
6. Warning: Permanently added '192.168.1.191' (ECDSA) to the list of known hosts.
   
7. Verification code:
   
8. Password:
   
9. Last login: Mon Nov 25 17:32:27 2019 from 192.168.20.159
   

复制代码

这里是先输入验证码然后再输入密码的






END 完结

学习了。

这就厉害了

密钥有泄露风险，密码加动态密码的登陆形式，似乎是不错的选择。

感觉不错...不知道后面会不会直接出插件？

Hax0412 发表于 2019-11-27 16:01
感觉不错...不知道后面会不会直接出插件？

不是很想出插件。这个东西小白用不明白