你的位置:首页 > 操作系统

[操作系统]服务器安全规范


ssh 登录验证:使用公钥和谷歌认证

server 端 配置文件

Port 3208Protocol 2ListenAddress 0.0.0.0SyslogFacility AUTHPRIVRSAAuthentication yesPubkeyAuthentication yesPermitRootLogin noPermitEmptyPasswords noPasswordAuthentication yesChallengeResponseAuthentication noGSSAPIAuthentication no#是否在用户退出登录后自动销毁用户凭证缓存GSSAPICleanupCredentials yesUsePAM yesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALLX11Forwarding noUseDNS noClientAliveInterval 60Subsystem    sftp  /usr/libexec/openssh/sftp-server

  

client端配置文件

Port 3208Protocol 2ListenAddress ipSyslogFacility AUTHPRIVPermitRootLogin noPermitEmptyPasswords noPasswordAuthentication yesChallengeResponseAuthentication noGSSAPIAuthentication noGSSAPICleanupCredentials yesUsePAM yesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALLX11Forwarding noUseDNS noClientAliveInterval 60Subsystem    sftp  /usr/libexec/openssh/sftp-server

  

1.生成公钥与私钥

ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/client/.ssh/id_rsa): #此处直接按回车即可Created directory '/home/client/.ssh'.Enter passphrase (empty for no passphrase): #此处直接按回车即可Enter same passphrase again: #此处直接按回车即可Your identification has been saved in /home/client/.ssh/id_rsa.Your public key has been saved in /home/client/.ssh/id_rsa.pub.

  

2. 将公钥文件追加到server端用户目录的./ssh/authorized_keys中 ,.ssh目录权限必须是0700
cat id_rsa.pub >> authorized_keyschmod 600 authorized_keys

  


3.server 端 和client 端 无密码登录

scp ./id_rsa.pub sweet@192.168.1.101:/home/sweet/.ssh/authorized_keys#注意一下目标机的authorized_keys的权限是-rw-r--r--,如果不是需要执行chmod 644 authorized_keys修改文件的权限

  

谷歌验证器

安装GOOGLE-AUTHENTICATOR验证器1.安装epel源rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm2.安装git级二维码工具yum install -y git qrencode3.安装开发包工具yum groupinstall -y "Development Tools" pam-devel4.安装google-authenticatorgit clone https://github.com/google/google-authenticator.gitcd google-authenticator/libpam/sh bootstrap.sh./configure && make && make installcp -v /usr/local/lib/security/pam_google_authenticator.so /lib64/security/5.生成基于计数的认证token(可以忽略时间错误)google-authenticator(n,y,y,y)6.更改ssh级pam设置## 修改PAMvi /etc/pam.d/sshdauth required pam_google_authenticator.so## 修改SSH配置ChallengeResponseAuthentication yesUsePAM yesservice sshd restart修改ssh的鉴权方式,改为键盘交互。注意: 这里要把应急验证码记录下,防止验证坏掉以后无法登陆,也可以把ssh的公钥下载下来做备用登陆方式