为了增强服务器安全性，使用google authenticator生成的动态密码进行加固，输入密码的同时需要再次验证动态密码才能登录成功。以下操作均在centos6.5环境下操作。

首先：

1、安装一些必要组件

yuminstall-ygitmakegcclibtoolpam-develqrencodentpdate

2、下载编译安装

gitclonehttps://github.com/google/google-authenticator-libpam.git

cdgoogle-authenticator-libpam/

./bootstrap.sh

./configure
make&&makeinstall

ln-s/usr/local/lib/security/pam_google_authenticator.so/usr/lib64/security/

3、配置ssh

vim/etc/ssh/sshd_config

修改如下的配置项：

ChallengeResponseAuthentication yes

UsePAM yes

重启ssh

servicesshdrestart

4、配置PAM

vim /etc/pam.d/sshd

如下：

#auth include password-auth

auth substack password-auth

auth required pam_google_authenticator.so

第一行删除或者注释，第二行和第三行的顺序将确定先输入密码还是动态码

5、配置google authenticator

首先，切换到你需要设置的帐号：

sugoogle
google-authenticator

Do you want authentication tokens to be time-based (y/n) y---输入y（会生成一个二维码和secret key，之后的操作会用到这个二维码/密钥（secret key），还有5 个紧急救助码（emergency scratch code），紧急救助码就是当你无法获取认证码时（比如手机丢了），可以当做认证码来用，每用一个少一个，但其实可以手动添加的，建议如果 root 账户使用 Google Authenticator 的话一定要把紧急救助码另外保存一份。）

Warning: pasting the following URL into your browser exposes the OTP secret to Google:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/google@ip-172-31-17-35%3Fsecret%3DEUMUWLYHE3WFDCD4FTTC4NHDWU%26issuer%3Dip-172-31-17-35

---如果已经安装qrencode，此处会显示二维码，该二维码也可以通过上面的网址打开---

Your new secret key is: EUMUWLYHE3WFDCD4FTTC4NHDWU

Your verification code is 102411

Your emergency scratch codes are:

31858704

90298886

63354215

17985381

56998209

Do you want me to update your "/home/google/.google_authenticator" file? (y/n)y---输入y（是否更新用户的 Google Authenticator 配置文件，选择y才能使上面操作对当前用户生效，其实就是在对应用户的Home目录下生成了一个.google_authenticator文件，如果你想停用这个用户的 Google Authenticator 验证，只需要删除这个用户Home目录下的.google_authenticator文件就可以了。）

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s,but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n)y---输入y（每次生成的认证码是否同时只允许一个人使用？这里选择y）

By default,a new token is generated every 30 seconds by the mobile app.

In order to compensate for possible time-skew between the client and the server,

we allow an extra token before and after the current time. This allows for a

time skew of up to 30 seconds between authentication server and client. If you

experience problems with poor time synchronization,you can increase the window

from its default size of 3 permitted codes (one prevIoUs code,the current

code,the next code) to 17 permitted codes (the 8 prevIoUs codes,and the 8 next codes). This will permit for a time skew of up to 4 minutes

between client and server.

Do you want to do so? (y/n)n---输入n（是否增加时间误差？这里选择n）

If the computer that you are logging into isn't hardened against brute-force

login attempts,you can enable rate-limiting for the authentication module.

By default,this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting? (y/n)y---输入y（是否启用次数限制？这里选择y，默认每 30 秒最多尝试登录 3 次）

6、APP设置

首先从google play 下载google Authenticator，打开app，点击"scan a barcode"，扫一下刚刚生成的二维码，或者手动输入secret key，即可得到一个动态密码，该密码每30秒变化一次。使用ssh登录服务器时，需要先输入用户密码，再输入动态密码才可以登录。

7、动态密码登录

[deploy@puppet c]$ ssh google@192.168.1.2

Password:

Verification code: ---此处输入动态密码---

如果出现异常，请查看/var/log/secure进行排查

参考内容：

http://shenyu.me/2016/09/05/centos-google-authenticator.html

http://www.111cn.net/sys/CentOS/88306.htm