google-authenticator 双因子验证

日常工作中，经常有人问系统开启双因子验证没有；奈何人穷志短，从网上看到 google-authenticator 支持免费的双因子验证，只要电脑端安装和配置 google-authenticator，就可以通过手机端安装的 Google 身份验证器提供相应的验证码来校验登录访问行为。

程序安装

  yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
  yum list google-auth*
  yum -y install google-authenticator
  vim /etc/pam.d/sshd
      # auth        required    pam_sepermit.so
      auth required pam_google_authenticator.so
  vim /etc/ssh/sshd_config
      ChallengeResponseAuthentication yes
      # ChallengeResponseAuthentication no
      UsePAM yes

      AuthenticationMethods publickey,password publickey,keyboard-interactive

账户验证码功能的配置

生成 root 账户验证码
```
[root@hhjos6 herc]# google-authenticator
```
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@hhjos6%3Fsecret%3D…
Your new secret key is:
此处省略若干字符
Do you want me to update your “~/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
[root@hhjos6 herc]#
生成 herc 账户验证码

hhjos6:/home/herc> google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/herc@hhjos6%3Fsecret%…
Your new secret key is:
此处省略若干字符
Do you want me to update your “/home/username/.google_authenticator” file (y/n) y
(是否重新生成登录配置文件？)

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
(是否拒绝多次重复使用相同的令牌？这将限制你每30s仅能登录一次，但会提醒/阻止中间人攻击。)

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
(是否将窗口时间由1分30秒增加到约4分钟？这将缓解时间同步问题。)

If the computer that you are logging into is not hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
(是否启用此模块的登录频率限制，登录者将会被限制为最多在30秒内登录3次。)
hhjos6:/home/herc>
注意事项
- 配置问题排查： tail -40f /var/log/secure
- 输入android 客户端的验证码（注意控制时间）后，再输入账户密码即可登录。