使用google authenticator为你提供一次一密的ssh登录(by quqi99)

作者：张华 发表于：2014-11-03
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

( http://blog.csdn.net/quqi99 )

下列脚本运行在你的机器上做了下列几件事情:
1, Linux提供PAM让你使用第三方授权模式, 所以安装libpam-google-authenticator包
2, 创建用户, 如zhhuabj, 然后自动从launchpad上将zhhuabj用户的ssh public key导入本机
3, 调用命令生成一次一密的密码, google-authenticator --force --counter-based --window-size=3 --rate-limit=3 --rate-time=30 -Q UTF8
如果要重新生成key与emergency codes的话, 需要root权限, 执行:
env HOME=/etc/libpam-google-authenticator/$user google-authenticator --force --counter-based --window-size=3 --rate-limit=3 --rate-time=30 -Q UTF8

4, 配置ssh使用PAM
5, 手机上安装google authenticator, 然后用上面生成的key产生一次一密, 这时候, 便可以在从另一个shell登录了, ssh zhhuabj@192.168.99.106

6, 这种动态密码特别合适远程访问, 假如有一个公网的中转机9.123.136.122(proxy.openstack.com), 背后有一个内网的中转机192.168.99.106, 内网里还有一台服务器 api1的话, 可直接在ssh客户端~/.ssh/config中添加下列内容之后直接执行ssh zhhuabj@quqi-debug命令, 这样会先使用一次一密的方式登录内网中转机, 这样就安全了, 一层一层的进去.
Host quqi-debug Hostname api1 User openstack PreferredAuthentications password ProxyCommand ssh -W %h:%p quqi-debug-proxyHost quqi-debug-proxy Hostname 9.123.136.122 User zhhuabj ProxyCommand ssh -W %h:%p quqi-debug-openstackHost quqi-debug-openstack Hostname 192.168.99.106 User zhhuabj ProxyCommand ssh -W %h:%p proxy.openstack.com
#!/bin/bash

set -e

users=`cat | cut -d ' ' -f1 << EOF
zhhuabj # Hua
EOF
`

eatmydata apt-get install -y etckeeper libpam-google-authenticator 2>/dev/null
# unattended-upgrades
echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades

install -d -o root -g root -m 700 /etc/libpam-google-authenticator/
for user in $users; do
echo
echo "==== ${user} ===="
# create a user
adduser --quiet --disabled-password --gecos '' $user
# import ssh key from launchpad.net
sudo -u $user -H ssh-import-id lp:$user
# generate HOTP secret under /etc/libpam-google-authenticator/${user}/
install -d -o root -g root -m 700 /etc/libpam-google-authenticator/$user
env HOME=/etc/libpam-google-authenticator/$user google-authenticator \
--force --counter-based --window-size=3 --rate-limit=3 --rate-time=30 -Q UTF8
done

echo
echo '===================='
# enable ChallengeResponseAuthentication,keyboard-interactive:pam on sshd
sed -i -e 's/^\(ChallengeResponseAuthentication\) .*/\1 yes/' /etc/ssh/sshd_config
echo 'AuthenticationMethods publickey,keyboard-interactive:pam' >> /etc/ssh/sshd_config

# put pam config
sed -i \
-e 's|# PAM configuration for the Secure Shell service|\0\n\nauth [success=done default=die] pam_google_authenticator.so secret=/etc/libpam-google-authenticator/${USER}/.google_authenticator user=root echo_verification_code|' \
/etc/pam.d/sshd

restart ssh

echo Done.

2014-11-10
重装机器恢复了之前备份ssh public/private key到~/.ssh/目录下后， 执行ssh -vvv操作时报错：
No RSA host key is known for bazaar.launchpad.net and you have requested strict checking.
Host key verification failed.
解决办法： 先执行一次 ssh -o stricthostkeychecking=ask zhhuabj@bazaar.launchpad.net