How to implement Linux server via SSH to log sweep the two-dimensional code

background

Linux server when connected remotely via ssh, if you are using the username + password authentication, or password leak case password is too simple to be violent crack li, would not be guaranteed a secure server. As a result, Google can combine the dynamic password to verify the security door is coupled with a server. In this case, even if the user's password is compromised, but there is no dynamic password verification server is unable to log on.

surroundings

Steps

1. one-click install scripts

#安装epel
yum install -y epel-release.noarch &> /dev/null
yum makecache  &> /dev/null
#安装google authenticator
yum install -y google-authenticator.x86_64 &> /dev/null

echo -e "\033[31mDo you want me to update your "/root/.google_authenticator" file? (y/n) y"
echo -e "\033[31m你希望我更新你的“/root/.google_authenticator”文件吗(y/n)？\033[0m"
echo -e "\033[31mDo you want to disallow multiple uses of the same authentication"
echo -e "\033[31mtoken? This restricts you to one login about every 30s, but it increases"
echo -e "\033[31myour chances to notice or even prevent man-in-the-middle attacks (y/n) y"
echo -e "\033[31m你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒， 但是这加大了发现甚至防止中间人攻ji的可能性(y/n)?\033[0m"
echo -e "\033[31mBy default, a new token is generated every 30 seconds by the mobile app."
echo -e "\033[31mIn order to compensate for possible time-skew between the client and the server,"
echo -e "\033[31mwe allow an extra token before and after the current time. This allows for a"
echo -e "\033[31mtime skew of up to 30 seconds between authentication server and client. If you"
echo -e "\033[31mexperience problems with poor time synchronization, you can increase the window"
echo -e "\033[31mfrom its default size of 3 permitted codes (one previous code, the current"
echo -e "\033[31mcode, the next code) to 17 permitted codes (the 8 previous codes, the current"
echo -e "\033[31mcode, and the 8 next codes). This will permit for a time skew of up to 4 minutes"
echo -e "\033[31mbetween client and server."
echo -e "\033[31mDo you want to do so? (y/n) y"
echo -e "\033[31m默认情况下，令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞，\033[0m"
echo -e "\033[31m我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题， 可以增加窗口从默认的3个可通过验证码增加到17个可通过验证码，\033[0m"
echo -e "\033[31m这将允许客户机与服务器之间的时差增加到4分钟。你希望这么做吗(y/n)?\033[0m"
echo -e "\033[31mIf the computer that you are logging into isn't hardened against brute-force"
echo -e "\033[31mlogin attempts, you can enable rate-limiting for the authentication module."
echo -e "\033[31mBy default, this limits attackers to no more than 3 login attempts every 30s."
echo -e "\033[31mDo you want to enable rate-limiting? (y/n) y"
echo -e "\033[31m如果你登录的那台计算机没有经过固化，以防范运用蛮力的登录企图，可以对验证模块\033[0m"
echo -e "\033[31m启用尝试次数限制。默认情况下，这限制攻ji者每30秒试图登录的次数只有3次。 你希望启用尝试次数限制吗(y/n)?\033[0m"
echo -e "\033[32m 在App Store 搜索Google Authenticator 进行App安装 \033[0m"

expect << EOF
spawn google-authenticator
expect {
    "y/n" {send "y\n";exp_continue}
    "y/n" {send "y\n"}
    "y/n" {send "y\n"}
    "y/n" {send "y\n"}
}
EOF

#/etc/pam.d/sshd文件，修改或添加下行保存
#auth required pam_google_authenticator.so
sed -i '1a\auth       required     pam_google_authenticator.so' /etc/pam.d/sshd
#编辑/etc/ssh/sshd_config找到下行
#ChallengeResponseAuthentication no
#更改为
#ChallengeResponseAuthentication yes
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config

#重启SSH服务
systemctl restart sshd

2. After running the script directly scan two-dimensional code generation screen or copy the URL to the top of the two-dimensional code scan code to open the browser and then use the dynamic password to log scan code generated
2.1 open remote connectivity tools xshell, shown in Figure

2.2 input dynamic password

2.3 enter the password server

2.4 Check / var / log / secure log can be found through a remote login authentication ssh pam_google_authenticator dynamic logging into the server module and

Problems encountered

1. Use a meter phone scan two-dimensional code when there are suggested

after then installed the Google play application, but open flash back, search for relevant information seems to be no reason Google services framework, so he downloaded the Google Services Framework applications, still no success, science and the Internet could solve this problem.

Because of the time the problem is not to toss, followed by a change to the phone line.
2. If the phone scan code is not successful, you can chrome web store search for "Authenticator" plug-in, and then added to the Chrome browser scan code




3. If the phone is lost or otherwise can not get to lead a dynamic password, you can use the emergency scrape scraping code to log server, the default configuration file is /root/.google_authenticator, but there's a little scratch with a code, it is recommended to save to a safe place.