给Linux VPS折腾上totp(两步验证)用于登录验证

之前提到过使用密钥登录SSH，这种方式禁用了密码，安全性上是没问题的。。。除非，你的私钥也泄露啦~不怕，为了应对这种极端情况，我们不妨弄个2FA组成“多重验证”。

我这里用的是debian系统，运行以下命令把Google Authenticator PAM module 安装进系统

apt-get update
apt-get install libpam-google-authenticator 

安装完，使用以下命令 google-authenticator --qr-mode=none开始配置过程。由于我这里制定了“–qr-mode=none”，所以整个过程李是不包含QRcode的，手机上需要手动输入secret key~图方便的话去掉“–qr-mode=none”即可

   $ google-authenticator
   Do you want authentication tokens to be time-based (y/n) y
   <这里是自动生成的二维码>
   Your new secret key is: ZVZG5UZU4D7MY4DH          (验证器配置密钥)
   Your verification code is 269371                  (输入验证器生成的验证码)
   Your emergency scratch codes are:                 (备用令牌码)
     70058954
     97277505
     99684896
     56514332
     82717798
   
   Do you want me to update your "/home/username/.google_authenticator" file (y/n) y
   (是否重新生成登录配置文件？)
   
   Do you want to disallow multiple uses of the same authentication
   token? This restricts you to one login about every 30s, but it increases
   your chances to notice or even prevent man-in-the-middle attacks (y/n) y
   (是否拒绝多次重复使用相同的令牌？这将限制你每30s仅能登录一次，但会提醒/阻止中间人攻击。)
   
   By default, tokens are good for 30 seconds and in order to compensate for
   possible time-skew between the client and the server, we allow an extra
   token before and after the current time. If you experience problems with poor
   time synchronization, you can increase the window from its default
   size of 1:30min to about 4min. Do you want to do so (y/n) n
   (是否将窗口时间由1分30秒增加到约4分钟？这将缓解时间同步问题。)
   
   If the computer that you are logging into is not hardened against brute-force
   login attempts, you can enable rate-limiting for the authentication module.
   By default, this limits attackers to no more than 3 login attempts every 30s.
   Do you want to enable rate-limiting (y/n) y
   (是否启用此模块的登录频率限制，登录者将会被限制为最多在30秒内登录3次。)

设置完成后，开始配置SSH部分

配置前请保持当前shell连接，避免被“反锁”的尴尬情况。我这里参考了

的文章，内容有删改！
配置 /etc/pam.d/sshd 加入以下内容
@include common-password
auth required pam_google_authenticator.so nullok
注释以下内容
#@include common-auth
配置/etc/ssh/sshd_config
更改以下选项
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
添加以下内容
UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
以上内容搞定后，就可以新开个ssh试试效果啦
值得一提的是，vps的时间要和登录设备的时间相同，否者会导致登录失败，如果你的服务器不方便更新时间，可以修改 .google_authenticator ,添加以下内容
" WINDOW_SIZE 17
这样，单个code的过期时间将延长到4分钟。不过这样做会降低2FA的安全性，具体怎么选择全看你自己。

参考链接：

• Linux服务器启用两步验证方式登录
• google-authenticator-libpam