LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@yuichi-mitarai(Yuichi Mitarai)

sshdをGoogle Authenticatorで

Last updated at Posted at 2021-09-04
# cat /etc/redhat-release
# AlmaLinux release 8.4 (Electric Cheetah)
# google auth
sudo yum install epel-release
sudo yum install google-authenticator
# for user
cd
google-authenticator
全てy


# sshd
cd /etc/ssh
sudo chmod 644 sshd_config
sudo b sshd_config
sudo cp -p sshd_config sshd_1234_config
sudo vi sshd_1234_config
diff OLD/sshd_config.2021060301 sshd_1234_config
=====
17a18
> Port 1234
32c33,34
< SyslogFacility AUTHPRIV
---
> #SyslogFacility AUTHPRIV
> SyslogFacility LOCAL1
38a41
> PermitRootLogin no
65c68
< PasswordAuthentication yes
---
> PasswordAuthentication no
68,69c71,72
< #ChallengeResponseAuthentication yes
< ChallengeResponseAuthentication no
---
> ChallengeResponseAuthentication yes
> #ChallengeResponseAuthentication no
=====
cd /usr/lib/systemd/system
cp -p sshd.service sshd_1234.service
sudo vi sshd_1234.service
diff sshd.service sshd_1234.service
=====
10c10
< ExecStart=/usr/sbin/sshd -D $OPTIONS
---
> ExecStart=/usr/sbin/sshd_1234 -f /etc/ssh/sshd_1234_config -D $OPTIONS
=====
sudo systemctl enabled sshd_1234.service
sudo systemctl start sshd_1234.service

sudo vi sshd_config
=====
32c32,33
< SyslogFacility AUTHPRIV
---
> #SyslogFacility AUTHPRIV
> SyslogFacility LOCAL0
38a40
> PermitRootLogin no
=====
sudo systemctl restart sshd


# pam
cd  /usr/sbin
sudo cp -p sshd sshd_1234
cd /etc/pam.d/
sudo /usr/local/bin/b sshd
sudo cp -p sshd sshd_1234
sudo vi sshd_1234
diff OLD/sshd.2021060301 sshd_1234
=====
4a5
> auth       required     pam_google_authenticator.so echo_verification_code
=====


# syslog
cd /etc/
sudo b rsyslog.conf
sudo vi rsyslog.conf
diff OLD/rsyslog.conf.2021060501 rsyslog.conf
=====
74a75,76
> local0.*                                              /var/log/sshd.log
> local1.*                                              /var/log/sshd_1234.log
=====
sudo systemctl restart rsyslog


# logrote
cd /etc/logrotate.d/
sudo vi sshd
=====
/var/log/sshd.log
/var/log/sshd_1234.log
{
    ifempty
    rotate 150
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
=====


# firewalld
cd /etc/
sudo chmod 755 firewalld
cd firewalld
sudo chmod 755 zones
cd zones
sudo b public.xml
sudo vi public.xml
$ diff OLD/public.xml.2021060401 public.xml
===
5,6c5,11
<   <service name="ssh"/>
<   <service name="dhcpv6-client"/>
---
>   <port protocol="tcp" port="1234"/>
>   <rule family="ipv4">
>     <source address="210.172.51.0/24"/>
>     <port protocol="tcp" port="22"/>
>     <accept/>
>   </rule>
===
sudo systemctl restart firewalld
sudo firewall-cmd --list-all
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?