Install Google Authenticator on your phone
Installation address: http://www.wandoujia.com/apps/com.google.android.apps.authenticator2
Note: selinux must be turned off on the machine
1. Installation dependencies:
yum -y install gcc make pam-devel libpng-devel libtool wget git
2. Turn on the EPEL source
yum –enablerepo = warm
3. Or directly install the EPEL source RPM package
# CentOS 6
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/epel-release-latest-6.noarch.rpm
# CentOS 7
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/epel-release-latest-7.noarch.rpm
4. Install Qrencode, Google Authenticator needs to call this program to generate a QR code and display it
yum install -y qrencode
5. Install Google Authenticator
git clone https://github.com/google/google-authenticator-libpam.git cd google-authenticator-libpam/
compile and install
./bootstrap.sh ./configure --prefix=/usr/local/google-authenticator make && make install
Copy the google authenticator pam module to the system
cp /usr/local/google-authenticator/lib/security/pam_google_authenticator.so /lib64/security/
6. Configure /etc/pam.d/sshd
exist
auth include password-auth
Add the following line above this line
auth required pam_google_authenticator.so
Note the order: Google authentication should be above password-auth
[root@localhost ~]# cat /etc/pam.d/sshd
#%PAM-1.0 auth required pam_sepermit.so auth required pam_google_authenticator.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
7. Modify the SSH service configuration /etc/ssh/sshd_config
Change ChallengeResponseAuthentication no to yes, that is
ChallengeResponseAuthentication yes
8. Enable Google Authenticator
./google-authenticator
Do you want authentication tokens to be time-based (y/n) y
# Whether to enable time-based authentication, Y, after testing, if you select N, the verification code on the mobile phone will not be automatically updated, and you will not be able to log in even if you manually update the verification code after using it once.
# Next, a QR code will be generated, and the security key can be added by scanning on the mobile phone
All the way back is to choose y, that's it
Pay attention to save the above 5 emergency scratch codes. If the verification code on the mobile phone does not pass, you can use the above verification code, and it will be invalid after each use.
Linux login client settings
Reference documentation:
https://shenyu.me/2016/09/05/centos-google-authenticator.html
https://www.sulabs.net/?p=802