http://zy191.blog.fc2blog.us/blog-entry-11.html
日常生活中,當我們的密碼被人知道後就會導致不可想象的後果,但是我們在平時玩遊戲的過程中會有密碼和動態數字密碼的雙重保護,至此,與大家分享一款基於google的動態密碼生成軟件來保護我門的ssh登陸,由於這款軟件的密碼生成方式是基於時間的,所以手機和主機可以在不聯網的狀態下驗證,是不是很方便。(不像騰訊的動態密碼還需要聯網,哈哈,題外話,騰訊是很牛逼的,給贊!!)
環境 紅帽企業7
需要的軟件包 libpam-google-authenticator-1.0-source.tar.bz2
下載地址為:wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
由於是在google下載,需要翻墻下載,在此為大家提供我的網盤下載地址:http://pan.baidu.com/s/1bnycltH
同時為大家提供安卓設備的動態密碼生成軟件(基於蘋果設備軟件的在此不做介紹,大家可以自行到itunes上下載,設置方法大同小異):google_authenticator_2.49.apk 這個大家可以百度,或者到我的網盤下載:http://pan.baidu.com/s/1mgN2rg8
[root@localhost ~]# yum install make gcc pam-devel -y #在安裝之前,考慮到由於源碼包在安裝的時候有依賴性,所以在此一次性解決,至於為什麽要安裝這些,大家也可以先不安裝,然後一步步實驗,系統會提示,大家可以慢慢解決
[root@localhost ~]# ls
libpam-google-authenticator-1.0-source.tar.bz2
[root@localhost ~]# tar xvfvj libpam-google-authenticator-1.0-source.tar.bz2 #軟件包的解壓
-rw-rw-r-- root/root 2471 2012-05-14 21:32 libpam-google-authenticator-1.0/base32.c
drwxr-xr-x Creating directory: libpam-google-authenticator-1.0
-rw-rw-r-- root/root 4737 2012-05-14 21:32 libpam-google-authenticator-1.0/demo.c
-rw-rw-r-- root/root 24608 2012-05-14 21:32 libpam-google-authenticator-1.0/google-authenticator.c
-rw-rw-r-- root/root 2495 2012-05-14 21:32 libpam-google-authenticator-1.0/hmac.c
-rw-rw-r-- root/root 48300 2012-05-14 21:32 libpam-google-authenticator-1.0/pam_google_authenticator.c
-rw-rw-r-- root/root 19257 2012-05-14 21:32 libpam-google-authenticator-1.0/pam_google_authenticator_unittest.c
-rw-rw-r-- root/root 11201 2012-05-14 21:32 libpam-google-authenticator-1.0/sha1.c
-rw-rw-r-- root/root 1387 2012-05-14 21:32 libpam-google-authenticator-1.0/base32.h
-rw-rw-r-- root/root 919 2012-05-14 21:32 libpam-google-authenticator-1.0/hmac.h
-rw-rw-r-- root/root 1189 2012-05-14 21:32 libpam-google-authenticator-1.0/sha1.h
-rw-rw-r-- root/root 9422 2012-05-14 21:32 libpam-google-authenticator-1.0/totp.html
-rw-rw-r-- root/root 4915 2012-05-14 21:32 libpam-google-authenticator-1.0/Makefile
-rw-rw-r-- root/root 2632 2012-05-14 21:32 libpam-google-authenticator-1.0/FILEFORMAT
-rw-rw-r-- root/root 4519 2012-05-14 21:32 libpam-google-authenticator-1.0/README
drwxrwxr-x root/root 0 2012-05-14 21:32 libpam-google-authenticator-1.0/utc-time/
-rw-rw-r-- root/root 125 2012-05-14 21:32 libpam-google-authenticator-1.0/utc-time/app.yaml
-rw-rw-r-- root/root 300 2012-05-14 21:32 libpam-google-authenticator-1.0/utc-time/utc-time.py
[root@localhost ~]# ls
libpam-google-authenticator-1.0 libpam-google-authenticator-1.0-source.tar.bz2 Templates
[root@localhost ~]# cd libpam-google-authenticator-1.0/
[root@localhost libpam-google-authenticator-1.0]# ls
base32.c hmac.c README
base32.h hmac.h sha1.c
demo.c Makefile sha1.h
FILEFORMAT pam_google_authenticator.c totp.html
google-authenticator.c pam_google_authenticator_unittest.c utc-time
[root@localhost libpam-google-authenticator-1.0]# make
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o sha1.o sha1.c
gcc -g -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o -ldl
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o demo.o demo.c
demo.c: In function ‘pam_get_item’:
demo.c:88:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &service, sizeof(&service));
^
demo.c:93:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &user, sizeof(&user));
^
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden \
-o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function ‘pam_get_item’:
pam_google_authenticator_unittest.c:76:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &service, sizeof(&service));
^
pam_google_authenticator_unittest.c:81:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &user, sizeof(&user));
^
gcc -g -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc -ldl
[root@localhost libpam-google-authenticator-1.0]# ls #make後生成一些列的.so文件
base32.c pam_google_authenticator_demo.o
base32.h pam_google_authenticator.o
base32.o pam_google_authenticator.so
demo pam_google_authenticator_testing.o
demo.c pam_google_authenticator_testing.so
demo.o pam_google_authenticator_unittest
FILEFORMAT pam_google_authenticator_unittest.c
google-authenticator pam_google_authenticator_unittest.o
google-authenticator.c README
google-authenticator.o sha1.c
hmac.c sha1.h
hmac.h sha1.o
hmac.o totp.html
Makefile utc-time
pam_google_authenticator.c
[root@localhost libpam-google-authenticator-1.0]# make install #安裝軟件
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin
[root@localhost libpam-google-authenticator-1.0]# vim /etc/pam.d/sshd #讓ssh以支持我們的插件
auth required pam_google_authenticator.so #修改第二行為此
[root@localhost libpam-google-authenticator-1.0]# vim /etc/ssh/sshd_config #修改ssh主配置文件
ChallengeResponseAuthentication yes #將原來的no改為yes
[root@localhost libpam-google-authenticator-1.0]# systemctl restart sshd.service #重啟服務
[root@localhost libpam-google-authenticator-1.0]# google-authenticator #安裝完成後系統會有一個這樣的命令以與手機綁定
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@localhost%3Fsecret%3DMLZOXL5HIX6VYXAA
此處會生成一個二維碼,在此不做展示,大家可以到google play中下載掃碼軟件,掃碼就可以與手機綁定,不需要輸入下面的長長的字符,非常方便
Your new secret key is: MLZOXL5HIX6VYXAA #手機綁定過程中需要輸入的驗證碼,重要
Your verification code is 792299
Your emergency scratch codes are: #找回時需要的密匙
62189051
67623626
11480665
11203060
49277372
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
至此,我們需要雙重驗證的主機的設定到此結束,當我們使用第二臺主機ssh該主機的時候,會被要求首先輸入一個code,然後在此輸入用戶密碼才可以登錄ssh,這個code便是我們手機上沒三十秒變化一次的動態密碼
手機設定(安卓設備)
1 安裝上面最開始的apk軟件包
2 進入軟件界面如圖 點擊開始設置,然後第一行輸入備註,第二行準確無誤(區分大小寫)的輸入上面生成的驗證碼
所有的設定完成
留言列表
