The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
* 필요한 기능 설치
# yum install git pam-devel make gcc-c++
* google-authenticator을 복사하고 make, make install을 설치
# git clone https://code.google.com/p/google-authenticator/
# cd google-authenticator/libpam/
# make
# make install
* sshd를 수정
# vi /etc/pam.d/sshd
auth required pam_google_authenticator.so
* sshd_config 수정
# vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
* ssh daemon 재시작
# service sshd restart
* google-authenticator 실행
# google-authenticator
* example
[root@mail01 google-authenticator]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200×200&chld=M|0&cht=qr&chl=otpauth://totp/root@mail01.linuxdrops.com%3Fsecret%3DJG32SHFEBYISFVEY
Your new secret key is: QERITO250975
Your verification code is 572852
Your emergency scratch codes are:
15729857
56713855
17685237
13750157
286-0286
Do you want me to update your “/root/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Open the link provided in a browser
https://www.google.com/chart?chs=200×200&chld=M|0&cht=qr&chl=otpauth://totp/root@mail01.linuxdrops.com%3Fsecret%3DJG32SHFEBYISFVEY
Install google authenticator app on your blackberry, android or IOS based smartphone and then scan the bar code provided by the link above.
Start generating code and login
출처: http://linuxdrops.com/use-two-step-verification-for-ssh-using-google-authenticator/#
'IT Information > Security Technical' 카테고리의 다른 글
MS OS 간단한 취약점 점검툴 (0) | 2013.12.06 |
---|---|
hping 설치 및 사용방법 (0) | 2013.07.05 |
Cisco :: Cisco ASA rommon new image upload (0) | 2013.05.23 |
XARP :: ARP Spoofing Search (0) | 2011.03.02 |
USB 외장디스크를 통한 감염경로 확인 방법 (0) | 2010.09.12 |