Chinaunix首页 | 论坛 | 博客
  • 博客访问: 217299
  • 博文数量: 25
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 238
  • 用 户 组: 普通用户
  • 注册时间: 2015-05-11 10:03
个人简介

linux运维

文章分类

全部博文(25)

文章存档

2017年(5)

2016年(2)

2015年(18)

我的朋友

分类: LINUX

2015-05-13 00:11:12

日常生活中,当我们的密码被人知道后就会导致不可想象的后果,但是我们在平时玩游戏的过程中会有密码和动态数字密码的双重保护,至此,与大家分享一款基于google的动态密码生成软件来保护我门的ssh登陆,由于这款软件的密码生成方式是基于时间的,所以手机和主机可以在不联网的状态下验证,是不是很方便。(不像腾讯的动态密码还需要联网,哈哈,题外话,腾讯是很牛逼的,给赞!!)
环境 红帽企业7
需要的软件包 libpam-google-authenticator-1.0-source.tar.bz2
                   下载地址为:
wget
                    由于是在google下载,需要翻墙下载,在此为大家提供我的网盘下载地址:

                    同时为大家提供安卓设备的动态密码生成软件(基于苹果设备软件的在此不做介绍,大家可以自行到itunes上下载,设置方法大同小异):google_authenticator_2.49.apk 这个大家可以百度,或者到我的网盘下载:

[root@localhost ~]# yum install make gcc pam-devel  -y   #在安装之前,考虑到由于源码包在安装的时候有依赖性,所以在此一次性解决,至于为什么要安装这些,大家也可以先不安装,然后一步步实验,系统会提示,大家可以慢慢解决

[root@localhost ~]# ls
libpam-google-authenticator-1.0-source.tar.bz2 
[root@localhost ~]# tar xvfvj libpam-google-authenticator-1.0-source.tar.bz2  #软件包的解压
-rw-rw-r-- root/root      2471 2012-05-14 21:32 libpam-google-authenticator-1.0/base32.c
drwxr-xr-x                  Creating directory: libpam-google-authenticator-1.0
-rw-rw-r-- root/root      4737 2012-05-14 21:32 libpam-google-authenticator-1.0/demo.c
-rw-rw-r-- root/root     24608 2012-05-14 21:32 libpam-google-authenticator-1.0/google-authenticator.c
-rw-rw-r-- root/root      2495 2012-05-14 21:32 libpam-google-authenticator-1.0/hmac.c
-rw-rw-r-- root/root     48300 2012-05-14 21:32 libpam-google-authenticator-1.0/pam_google_authenticator.c
-rw-rw-r-- root/root     19257 2012-05-14 21:32 libpam-google-authenticator-1.0/pam_google_authenticator_unittest.c
-rw-rw-r-- root/root     11201 2012-05-14 21:32 libpam-google-authenticator-1.0/sha1.c
-rw-rw-r-- root/root      1387 2012-05-14 21:32 libpam-google-authenticator-1.0/base32.h
-rw-rw-r-- root/root       919 2012-05-14 21:32 libpam-google-authenticator-1.0/hmac.h
-rw-rw-r-- root/root      1189 2012-05-14 21:32 libpam-google-authenticator-1.0/sha1.h
-rw-rw-r-- root/root      9422 2012-05-14 21:32 libpam-google-authenticator-1.0/totp.html
-rw-rw-r-- root/root      4915 2012-05-14 21:32 libpam-google-authenticator-1.0/Makefile
-rw-rw-r-- root/root      2632 2012-05-14 21:32 libpam-google-authenticator-1.0/FILEFORMAT
-rw-rw-r-- root/root      4519 2012-05-14 21:32 libpam-google-authenticator-1.0/README
drwxrwxr-x root/root         0 2012-05-14 21:32 libpam-google-authenticator-1.0/utc-time/
-rw-rw-r-- root/root       125 2012-05-14 21:32 libpam-google-authenticator-1.0/utc-time/app.yaml
-rw-rw-r-- root/root       300 2012-05-14 21:32 libpam-google-authenticator-1.0/utc-time/utc-time.py
[root@localhost ~]# ls
 libpam-google-authenticator-1.0  libpam-google-authenticator-1.0-source.tar.bz2  Templates

[root@localhost ~]# cd libpam-google-authenticator-1.0/
[root@localhost libpam-google-authenticator-1.0]# ls
base32.c                hmac.c                               README
base32.h                hmac.h                               sha1.c
demo.c                  Makefile                             sha1.h
FILEFORMAT              pam_google_authenticator.c           totp.html
google-authenticator.c  pam_google_authenticator_unittest.c  utc-time
[root@localhost libpam-google-authenticator-1.0]# make
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o sha1.o sha1.c
gcc -g   -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o  -ldl
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
demo.c: In function ‘pam_get_item’:
demo.c:88:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &service, sizeof(&service));
                                    ^
demo.c:93:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &user, sizeof(&user));
                                 ^
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o  -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden        \
              -o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function ‘pam_get_item’:
pam_google_authenticator_unittest.c:76:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &service, sizeof(&service));
                                    ^
pam_google_authenticator_unittest.c:81:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &user, sizeof(&user));
                                 ^
gcc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl
[root@localhost libpam-google-authenticator-1.0]# ls  #make后生成一些列的.so文件
base32.c                    pam_google_authenticator_demo.o
base32.h                    pam_google_authenticator.o
base32.o                    pam_google_authenticator.so   
demo                        pam_google_authenticator_testing.o
demo.c                      pam_google_authenticator_testing.so
demo.o                      pam_google_authenticator_unittest
FILEFORMAT                  pam_google_authenticator_unittest.c
google-authenticator        pam_google_authenticator_unittest.o
google-authenticator.c      README
google-authenticator.o      sha1.c
hmac.c                      sha1.h
hmac.h                      sha1.o
hmac.o                      totp.html
Makefile                    utc-time
pam_google_authenticator.c
[root@localhost libpam-google-authenticator-1.0]# make install  #安装软件
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin
[root@localhost libpam-google-authenticator-1.0]# vim /etc/pam.d/sshd   #让ssh以支持我们的插件

auth       required     pam_google_authenticator.so   #修改第二行为此


[root@localhost libpam-google-authenticator-1.0]# vim /etc/ssh/sshd_config  #修改ssh主配置文件


ChallengeResponseAuthentication yes    #将原来的no改为yes
 
[root@localhost libpam-google-authenticator-1.0]# systemctl restart sshd.service  #重启服务
[root@localhost libpam-google-authenticator-1.0]# google-authenticator  #安装完成后系统会有一个这样的命令以与手机绑定
Do you want authentication tokens to be time-based (y/n) y
|0&cht=qr&chl=otpauth://totp/root@localhost%3Fsecret%3DMLZOXL5HIX6VYXAA

此处会生成一个二维码,在此不做展示,大家可以到google play中下载扫码软件,扫码就可以与手机绑定,不需要输入下面的长长的字符,非常方便


Your new secret key is: MLZOXL5HIX6VYXAA  #手机绑定过程中需要输入的验证码,重要
Your verification code is 792299
Your emergency scratch codes are:   #找回时需要的密匙
  62189051
  67623626
  11480665
  11203060
  49277372

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

至此,我们需要双重验证的主机的设定到此结束,当我们使用第二台主机ssh该主机的时候,会被要求首先输入一个code,然后在此输入用户密码才可以登录ssh,这个code便是我们手机上没三十秒变化一次的动态密码

手机设定(安卓设备
1 安装上面最开始的apk软件包
2 进入软件界面如图 点击开始设置,然后第一行输入备注,第二行准确无误(区分大小写)的输入上面生成的验证码
所有的设定完成





阅读(3905) | 评论(0) | 转发(1) |
给主人留下些什么吧!~~