为 OpenSSH 启用双因素认证(sshd)

/etc/ssh/sshd_config 中加入下面的选项启用双因素认证:

  1. # Require public key *and* password authentication. Without this, a valid public
  2. # key would bypass the Yubikey requirement.
  3. AuthenticationMethods publickey,password
  5. # Enable the password authentication backend.
  6. PasswordAuthentication yes
  8. # Disable the keyboard-interactive mode which could be used to ask for the
  9. # password.
  10. ChallengeResponseAuthentication no
  12. # Enable PAM integration for authentication as this is the system that Yubikey
  13. # integrates with.
  14. UsePAM yes

如果你要通过 root 用户登录,请添加或修改同一个文件中的 PermitRootLogin 选项,将 prohibit-password 替换成 yes

  1. # Enable root login via ssh.
  2. PermitRootLogin yes

重新启动 ssh 服务,这不会中断你现有的会话。

  1.  service ssh restart