Operation and Maintenance
Linux Operation and Maintenance
Install google-authenticator on the bastion machine
Install google-authenticator on the bastion machine
The company’s online machines do not allow users to log in at will, so developers cannot log in to production machines at will. So I plan to use the google-auth verification method.
If the google-auth method.
Build google-authenticator:
Building this is very simple, as follows:
git clone download the latest version of google auth.
cd google-authenticator-libpam/
./bootstrap.sh
./configure && make && make install
ln -s /usr/ local/lib/security/pam_google_authenticator.so /lib64/security/pam_google_authenticator.so
Modify /etc/pam.d/sshd,
#Add a line at the top "auth required pam_google_authenticator.so "
#This configuration can be more complicated, add some parameters, see libpam/README
#Note: If you encounter a situation where you still need to enter a password, change it to "auth sufficient pam_google_authenticator.so" and try it.
Modify /etc/ssh/sshd_config
Change the ChallengeResponseAuthentication option from no to yes
Change UsePAM yes
service sshd restart
Generate key
$ google-authenticator #Note: The user who runs this command is the user who needs to log in, not the root user
Do you want authentication tokens to be time-based (y/n) y ( Confirmation: time-based authentication token)
[The address where the QR code was generated, the QR code, the key plain text, and the emergency code will be displayed here]
Do you want me to update your "/var/www/. google_authenticator" file (y/n) y (Confirm: Update configuration file)
……
size of 1:30min to about 4min. Do you want to do so (y/n) n ( The token validity period is 1.5min, choose y to get 4min)
......
Do you want to enable rate-limiting (y/n) y (only three attempts are allowed within 30s)
Scan the QR code in the app, or enter the key manually, and you will see that the token is updated every 30 seconds
Try to log in
$ ssh localhost
Verification code: [Enter the verification code 】
Password: 【Enter password】
Supplement:
But at that time, Google Authenticator was simply added. In actual use, It is too cumbersome to enter both verification and password, so when building our springboard machine, we chose the solution of publickey + authenticator, and only need to enter the verification code once. But it’s a lot to ask for here. For example, the version of openssh is greater than 6.2. If not, AuthenticationMethods cannot be used. The best way is to use the centos7 version (it has been verified that it can be used). The centos6.5 test cannot be used (it should be because I am not good at technology).
The specific configuration scheme has not changed much, mainly due to the use of the new AuthenticationMethods parameter of SSH 6.2+, which can specify a series of authentication methods. The specific configuration is as follows:
AuthenticationMethods publickey,keyboard-interactive
#For the specified IP, only publickey verification is required
Match Address 10.0.0.4
AuthenticationMethods publickey
#You can also specify that the user only needs publickey verification
#Match User XXX
#AuthenticationMethods publickey
By the way, I want to complain, this Linux thing is really frustrating. When I configured the springboard backup machine today, it was exactly the same configuration. It was wrong to copy it. Although only publickey and keyboard-interactive were specified in the configuration, Every time after entering the verification code, I am still required to enter the password. After struggling for several hours, I found out that "auth required pam_google_authenticator.so" is no longer appropriate and needs to be changed to "auth sufficient pam_google_authenticator.so". ", so that the authentication process will end after entering the verification code (sufficient implementation adds a break? What the hell.) (Thanks@)
Finally, a reminderUse SecureCRT Classmate , you need to select only "Keyboard Interactive" in Authentication in Session Options -> Connection -> SSH2, otherwise you will not be able to log in normally.
Error: configure: error: Unable to find the PAM library or the PAM header files
Method: yum install -y pam-devel
Quote:
The above is the detailed content of Install google-authenticator on the bastion machine. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1382
52
Solution to the problem that Win11 system cannot install Chinese language pack
Mar 09, 2024 am 09:48 AM
Solution to the problem that Win11 system cannot install Chinese language pack With the launch of Windows 11 system, many users began to upgrade their operating system to experience new functions and interfaces. However, some users found that they were unable to install the Chinese language pack after upgrading, which troubled their experience. In this article, we will discuss the reasons why Win11 system cannot install the Chinese language pack and provide some solutions to help users solve this problem. Cause Analysis First, let us analyze the inability of Win11 system to
Unable to install guest additions in VirtualBox
Mar 10, 2024 am 09:34 AM
You may not be able to install guest additions to a virtual machine in OracleVirtualBox. When we click on Devices>InstallGuestAdditionsCDImage, it just throws an error as shown below: VirtualBox - Error: Unable to insert virtual disc C: Programming FilesOracleVirtualBoxVBoxGuestAdditions.iso into ubuntu machine In this post we will understand what happens when you What to do when you can't install guest additions in VirtualBox. Unable to install guest additions in VirtualBox If you can't install it in Virtua
What should I do if Baidu Netdisk is downloaded successfully but cannot be installed?
Mar 13, 2024 pm 10:22 PM
If you have successfully downloaded the installation file of Baidu Netdisk, but cannot install it normally, it may be that there is an error in the integrity of the software file or there is a problem with the residual files and registry entries. Let this site take care of it for users. Let’s introduce the analysis of the problem that Baidu Netdisk is successfully downloaded but cannot be installed. Analysis of the problem that Baidu Netdisk downloaded successfully but could not be installed 1. Check the integrity of the installation file: Make sure that the downloaded installation file is complete and not damaged. You can download it again, or try to download the installation file from another trusted source. 2. Turn off anti-virus software and firewall: Some anti-virus software or firewall programs may prevent the installation program from running properly. Try disabling or exiting the anti-virus software and firewall, then re-run the installation
How to install Android apps on Linux?
Mar 19, 2024 am 11:15 AM
Installing Android applications on Linux has always been a concern for many users. Especially for Linux users who like to use Android applications, it is very important to master how to install Android applications on Linux systems. Although running Android applications directly on Linux is not as simple as on the Android platform, by using emulators or third-party tools, we can still happily enjoy Android applications on Linux. The following will introduce how to install Android applications on Linux systems.
How to install creo-creo installation tutorial
Mar 04, 2024 pm 10:30 PM
Many novice friends still don’t know how to install creo, so the editor below brings relevant tutorials on creo installation. Friends in need should take a look at it. I hope it can help you. 1. Open the downloaded installation package and find the License folder, as shown in the figure below: 2. Then copy it to the directory on the C drive, as shown in the figure below: 3. Double-click to enter and see if there is a license file, as shown below As shown in the picture: 4. Then copy the license file to this file, as shown in the following picture: 5. In the PROGRAMFILES file of the C drive, create a new PLC folder, as shown in the following picture: 6. Copy the license file as well Click in, as shown in the figure below: 7. Double-click the installation file of the main program. To install, check the box to install new software.
How to install Podman on Ubuntu 24.04
Mar 22, 2024 am 11:26 AM
If you have used Docker, you must understand daemons, containers, and their functions. A daemon is a service that runs in the background when a container is already in use in any system. Podman is a free management tool for managing and creating containers without relying on any daemon such as Docker. Therefore, it has advantages in managing containers without the need for long-term backend services. Additionally, Podman does not require root-level permissions to be used. This guide discusses in detail how to install Podman on Ubuntu24. To update the system, we first need to update the system and open the Terminal shell of Ubuntu24. During both installation and upgrade processes, we need to use the command line. a simple
How to Install and Run the Ubuntu Notes App on Ubuntu 24.04
Mar 22, 2024 pm 04:40 PM
While studying in high school, some students take very clear and accurate notes, taking more notes than others in the same class. For some, note-taking is a hobby, while for others, it is a necessity when they easily forget small information about anything important. Microsoft's NTFS application is particularly useful for students who wish to save important notes beyond regular lectures. In this article, we will describe the installation of Ubuntu applications on Ubuntu24. Updating the Ubuntu System Before installing the Ubuntu installer, on Ubuntu24 we need to ensure that the newly configured system has been updated. We can use the most famous "a" in Ubuntu system
Detailed steps to install Go language on Win7 computer
Mar 27, 2024 pm 02:00 PM
Detailed steps to install Go language on Win7 computer Go (also known as Golang) is an open source programming language developed by Google. It is simple, efficient and has excellent concurrency performance. It is suitable for the development of cloud services, network applications and back-end systems. . Installing the Go language on a Win7 computer allows you to quickly get started with the language and start writing Go programs. The following will introduce in detail the steps to install the Go language on a Win7 computer, and attach specific code examples. Step 1: Download the Go language installation package and visit the Go official website
