#### ssh 二次認證

1) 安裝依賴環境
yum install gcc wget pam-devel libpng-devel libtool

2) 安裝二維碼工具
yum install -y  qrencode

3) 安裝 google_authenticator (EPEL repo)
yum install google-authenticator -y

4) setup
<1> Using command line switch to the user you want to setup Google 2-step verification for
[root@test23 src]# su root
<2>  Run the Google Authenticator script and answer yes (y) to all questions:
[root@test23 src]# google-authenticator
<3> 執行 google-authenticator 命令 會生成一張二維碼 ,手機下載   google authenticator app  掃瞄上面的二維碼(或者手動輸入),這樣就能實現 基于時間的 口令同步.同時在用戶的家目錄下 下面5個是萬能鑰匙   用一次少一個 .
<4> 設置 ssh 登陸認證方式,Edit the file /etc/pam.d/sshd,and add this line towards the top of the file:
# google authenticator 
auth required pam_google_authenticator.so
<5>Next, edit the file /etc/ssh/sshd_config ,and change the ChallengeResponseAuthentication value to yes so it looks something like:
# google authenticator 
ChallengeResponseAuthentication yes
<6> 重啟 sshd 服務

#### 普通用戶su到root用戶二次認證

[root@test23 redhat]# cat /etc/pam.d/su
#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
# google authenticator
auth required pam_google_authenticator.so
auth            include        system-auth
account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
account		include		system-auth
password	include		system-auth
session		include		system-auth
session		optional	pam_xauth.so

#### 普通用戶su到root用戶不需要輸入系統密碼認證

[root@test23 redhat]# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
# google authenticator
auth            required        pam_google_authenticator.so
auth            [success=ignore default=1] pam_succeed_if.so user = root
auth            sufficient      pam_succeed_if.so use_uid user = redhat
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

其中:
auth            [success=ignore default=1] pam_succeed_if.so user = root
auth            sufficient      pam_succeed_if.so use_uid user = redhat
第一行的意思是 要 su 到哪個用戶不需要輸入密碼
第二行的意思是 要從哪個用戶 su 到一行時候才不要密碼
由於 auth            required        pam_google_authenticator.so 這一行在前面,所有 本列中從 redhat su 到 root ,不需要輸入 root 的系統密碼, 但是需要輸入 google 的動態口令.

如果說想指定和多用戶 su 到 root 都不需要 root 密碼,只需輸入動態口令,有兩種方式:

1)  把上面的兩行改成如下
auth            [success=ignore default=1] pam_succeed_if.so user = root
auth            sufficient      pam_succeed_if.so use_uid user ingroup allowedpeople

意思是把 需要的普通用戶都加入一個 allowedpeople 用戶組裡, 對該用戶組授權!

2) 見下面是用 普通用戶 sudo 到 root 用戶不需要輸入系統密碼認證 

#### 普通用戶 sudo 到 root 用戶不需要輸入系統密碼認證


1) 切換到普通用戶(redhat) 執行google-authenticator

2) 此普通用戶(redhat)在 sudo 的配置檔案為

redhat	ALL=(ALL)	/bin/su - root

3) 修改 sudo 的pam 檔案如下
[root@test23 pam.d]# cat /etc/pam.d/sudo
#%PAM-1.0
# google authenticator
#auth       required      pam_radius_auth.so
auth 	   required 	pam_google_authenticator.so
#auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

4) 普通用戶通過 google 口令 sudo  到 root 用戶
[redhat@test23 ~]$ sudo su - root
Verification code:
[root@test23 ~]#


另外一種方式 見 Radius