CentOS 7 SSH 和 2FA（ESET 安全認證）

January 6, 2017

我被困在 CentOS 7 中的兩個因素身份驗證工作；特別是通過 SSH 和 OTP 進行的身份驗證。
如果有人可以幫助我，我將不勝感激。:)
**編輯：**據我從下面的日誌中了解到，pam 模組要求 RADIUS 伺服器進行身份驗證，伺服器以程式碼 11 進行響應，以便 pam 模組向使用者質詢 OTP，但模組只是說“身份驗證失敗” . 所以客戶端應該是問題吧？
以下是嘗試使用帳戶“ws-admin@test.local”通過 SSH 登錄的日誌：
sshd[3652]: pam_radius_auth: Got user name ws-admin@test.local
sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set
sshd[3652]: pam_radius_auth: Sending RADIUS request code 1
sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0.
sshd[3652]: pam_radius_auth: Got RADIUS response code 11
sshd[3652]: pam_radius_auth: authentication failed
sshd[3652]: pam_sepermit(sshd:auth): Parsing config file:     /etc/security/sepermit.conf
sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match
sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1
sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 user=ws-admin@test.local
sshd[3652]: Failed password for ws-admin@test.local from 10.0.0.31 port 57962 ssh2
sshd[3652]: Connection closed by 10.0.0.31 [preauth]
下面遵循配置和設置資訊
測試環境由我公司的基礎設施提供；我們主要使用 Windows 客戶端以及大約相同份額的 Windows 和 Linux 伺服器。
Win-Server： Windows Server 2016 x64
活動目錄：Test.local
ESET 安全身份驗證（RADIUS 伺服器）
與客戶端共享密鑰：test345
啟用選項“使用 RADIUS 的訪問挑戰功能”
Linux-客戶端/伺服器： CentOS 7.3 x64
通過領域加入域 Test.local
隨時使用 AD-Accounts 和 OTP-2FA 進行本地登錄
僅當 pam_radius_auth.so 未在 /etc/pam.d/sshd 中設置為 required 時才可以使用任何帳戶進行 SSH 登錄（這意味著沒有 2FA）
Linux客戶端/伺服器的配置：
RADIUS-Server 和 Shared-Secret 添加到 /etc/raddb/server
pam_radius_auth.so 位於 /usr/lib64/security/
需要驗證 pam_radius_auth.so 添加到 /etc/pam.d/sshd 和 /etc/pam.d/login
/etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
auth       sufficient   pam_radius_auth.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
/etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_radius_auth.so    debug
auth       required pam_sepermit.so      debug
auth       substack     password-auth      debug
auth       include      postlogin     debug
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
/etc/raddb/伺服器
# server[:port] shared_secret      timeout (s)
10.0.0.1        test345            5

我自己設法解決了這個問題。

顯然，唯一需要改變的是 pam-modules 中的順序/etc/pam.d/sshd。

該線auth sufficient pam_radius_auth.so必須在下方pam_sepermit.so和上方password-auth。

實際上模組的順序/etc/pam.d/login也不正確。

那裡的線auth sufficient pam_radius_auth.so應該在下面pam_securetty.so和上面system-auth。

這就是文件現在的樣子：

/etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       sufficient   pam_radius_auth.so
auth       substack     system-auth
auth       include      postlogin
# auth       sufficient   pam_radius_auth.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

/etc/pam.d/sshd

#%PAM-1.0
auth       required pam_sepermit.so
auth       sufficient   pam_radius_auth.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

引用自：https://serverfault.com/questions/824302

CentOS 7 SSH 和 2FA（ESET 安全認證）

相關問答

是否有命令行兩因素身份驗證驗證碼生成器？

在指定時間為特定使用者禁用 ssh 登錄

允許域組 ssh 訪問

PAM、RADIUS、Google身份驗證器和兩因素身份驗證

無法連接到 Centos 7 伺服器 (PAM)

在 CentOS 7 上配置 Kerberos/PAM