Linux 服务器配置 Google Authenticator 实现 SSH 二步验证

#更新系统软件包索引
apt update
#安装Google Authenticator PAM模块和二维码生成工具
apt install libpam-google-authenticator qrencode -y

google-authenticator
Do you want authentication tokens to be time-based (y/n) y
#中文说明：您希望身份验证令牌是基于时间的吗（是/否）→ 输入y

Enter code from app (-1 to skip): 312003 # 替换为你手机上的动态码
#提示：若扫码失败，可手动输入密钥串添加

Do you want me to update your "/root/.google_authenticator" file? (y/n)y
#中文说明：是否更新配置文件 → 输入y（必须保存，否则配置失效）

Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) y
#中文说明：是否禁止重复使用令牌（限制30秒内仅一次登录）→ 输入y

By default, a new token is generated every 30 seconds by the mobile app.In order to compensate for possible time-skew between the client and the server,we allow an extra token before and after the current time. This allows for atime skew of up to 30 seconds between authentication server and client. If youexperience problems with poor time synchronization, you can increase the windowfrom its default size of 3 permitted codes (one previous code, the currentcode, the next code) to 17 permitted codes (the 8 previous codes, the currentcode, and the 8 next codes). This will permit for a time skew of up to 4 minutesbetween client and server.Do you want to do so? (y/n) y
#中文说明：是否扩大时间容错窗口（最大4分钟偏移）→ 输入y（避免时间不同步导致验证失败）

If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting? (y/n) y
#中文说明：是否启用速率限制（30秒内最多3次登录尝试）→ 输入y（提升安全性）

vim /etc/pam.d/sshd
# 在文件顶部增加下面内容
auth required pam_google_authenticator.so

vim /etc/pam.d/sshd
# 下面功能需要开启，文件里没有的需要增加
PasswordAuthentication yes
KbdInteractiveAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes

# 配置完成重启ssh
systemctl restart sshd