二次登陆验证

服务器二次登录验证：

目前比较流行的两种方式

1 Google

https://github.com/google/google-authenticator

安装关闭 selinuxgit clone https://github.com/google/google-authenticator.gityum install libtool   ./bootstrap.sh    ./configure     make && make install    google-authenticator    获取私钥 客户端输入。Do you want me to update your "/root/.google_authenticator" file (y/n) yDo you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) yBy default, tokens are good for 30 seconds. In order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems withpoor time synchronization, you can increase the window from its defaultsize of +-1min (window size of 3) to about +-4min (window size of17 acceptable tokens).Do you want to do so? (y/n) yIf the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (y/n) y vim /etc/pam.d/sshd  第一行添加 auth required pam_google_authenticator.so   vim /etc/ssh/sshd_config  修改为 ChallengeResponseAuthentication yes service sshd restartln -s /usr/local/lib/security/pam_google_authenticator.so pam_google_authenticator.so

通过 私钥+时间戳 算出6位验证码，客户端和服务端匹配，则通过验证。

缺点：数据明文存储本地，root账号可以看到

应用商店搜索 Google身份验证器 安装

2 洋葱

https://github.com/secken/secken-ssh

git clone https://github.com/secken/secken-ssh.git

sh dep.sh

tips

将keyboard interactive 放到第一位

通过秘钥登录的 无法进行二次验证

参考：http://36kr.com/p/532998.html

http://www.xitongzhijia.net/xtjc/20141211/32369.html