ldap认证_ldap服务器怎么登录_ldap认证和802.1x区别(6)

设置Google Authenticator

运行/usr/local/bin/google-authenticator

会在当前帐号home目录下生成相关配置文件。

Doyouwantmetoupdateyour"~/.google_authenticator"file(y/n)y

https://.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DABCD12E3FGHIJKLMN
Yournewsecretkeyis:ABCD12E3FGHIJKLMN
Yourverificationcodeis98765432
Youremergencyscratchcodesare:
01234567
89012345
67890123
45678901
23456789

Doyouwanttodisallowmultipleusesofthesameauthentication
token?Thisrestrictsyoutooneloginaboutevery30s,butitincreases
yourchancestonoticeorevenpreventman-in-the-middleattacks(y/n)y

Bydefault,tokensaregoodfor30secondsandinordertocompensatefor
possibletime-skewbetweentheclientandtheserver,weallowanextra
tokenbeforeandafterthecurrenttime.Ifyouexperienceproblemswithpoor
timesynchronization,youcanincreasethewindowfromitsdefault
sizeof1:30mintoabout4min.Doyouwanttodoso(y/n)y

Ifthecomputerthatyouareloggingintoisnthardenedagainstbrute-force
loginattempts,youcanenablerate-limitingfortheauthenticationmodule.
Bydefault,thislimitsattackerstonomorethan3loginattemptsevery30s.
Doyouwanttoenablerate-limiting(y/n)y

sshd配置加入谷歌认证模块：

/etc/pam.d/sshd
#%PAM-1.0
authrequiredpam_google_authenticator.so
authincludesystem-auth
accountrequiredpam_nologin.so
accountincludesystem-auth
passwordincludesystem-auth
sessionoptionalpam_keyinit.soforcerevoke
sessionincludesystem-auth
sessionrequiredpam_loginuid.so

修改/etc/ssh/sshd_config
加入hallengeResponseAuthenticationyes

本地网络登录帐号跳过谷歌认证模块设置：

/etc/pam.d/sshd 增加

auth[success=1default=ignore]pam_access.soaccessfile=/etc/security/access-local.conf
authrequiredpam_google_authenticator.so
在/etc/security/access-local.conf文件中增加：
#GoogleAuthenticatorcanbeskippedonlocalnetwork
+:ALL:192.168.0.0/24
+:ALL:LOCAL
-:ALL:ALL

允许192.196.0.0网段的用户登录帐号时跳过谷歌认证步骤。

整个跳板机部署完毕后，用户如何登录对于很多开发人员完全未知，站在用户的角度我们进行了一次内部分享，对如何登录跳板机做了简要说明。

本文来自电脑杂谈，转载请注明本文网址：
http://www.pc-fly.com/a/jisuanjixue/article-24622-6.html