Debian Sid에서 ssh 접속시 Google Authenticator를 적용하는 방법을 기술한다.
설치
$ sudo apt-get install libpam-google-authenticator
키 생성
$ google-authenticator
아래와 같은 질문에 y으로 대답하면 화면에 바코드가 출력된다.
Do you want authentication tokens to be time-based (y/n) y
바코드를 iPhone의 Google Authenticator 앱으로 찍어서 등록한다.
그 뒤에 질문들에는 y으로 대답한다.
Do you want me to update your "/사용자명/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
ssh 설정
/etc/pam.d/sshd 파일에 아래 내용을 추가한다.
auth required pam_google_authenticator.so
/etc/ssh/sshd_config 파일의 ChallengeResponseAuthentication 값을 yes로 수정한다.
ChallengeResponseAuthentication yes
ssh 를 재시작한다.
$ sudo /etc/init.d/sshd restart
