Centos
CentOS 7 SSH 和 2FA(ESET 安全認證)
我被困在 CentOS 7 中的兩個因素身份驗證工作;特別是通過 SSH 和 OTP 進行的身份驗證。
如果有人可以幫助我,我將不勝感激。:)
**編輯:**據我從下面的日誌中了解到,pam 模組要求 RADIUS 伺服器進行身份驗證,伺服器以程式碼 11 進行響應,以便 pam 模組向使用者質詢 OTP,但模組只是說“身份驗證失敗” . 所以客戶端應該是問題吧?
以下是嘗試使用帳戶“ws-admin@test.local”通過 SSH 登錄的日誌:
sshd[3652]: pam_radius_auth: Got user name ws-admin@test.local sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set sshd[3652]: pam_radius_auth: Sending RADIUS request code 1 sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0. sshd[3652]: pam_radius_auth: Got RADIUS response code 11 sshd[3652]: pam_radius_auth: authentication failed sshd[3652]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1 sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 user=ws-admin@test.local sshd[3652]: Failed password for ws-admin@test.local from 10.0.0.31 port 57962 ssh2 sshd[3652]: Connection closed by 10.0.0.31 [preauth]
下面遵循配置和設置資訊
測試環境由我公司的基礎設施提供;我們主要使用 Windows 客戶端以及大約相同份額的 Windows 和 Linux 伺服器。
Win-Server: Windows Server 2016 x64
活動目錄:Test.local
ESET 安全身份驗證(RADIUS 伺服器)
- 與客戶端共享密鑰:test345
- 啟用選項“使用 RADIUS 的訪問挑戰功能”
Linux-客戶端/伺服器: CentOS 7.3 x64
- 通過領域加入域 Test.local
- 隨時使用 AD-Accounts 和 OTP-2FA 進行本地登錄
- 僅當 pam_radius_auth.so 未在 /etc/pam.d/sshd 中設置為 required 時才可以使用任何帳戶進行 SSH 登錄(這意味著沒有 2FA)
Linux客戶端/伺服器的配置:
- RADIUS-Server 和 Shared-Secret 添加到 /etc/raddb/server
- pam_radius_auth.so 位於 /usr/lib64/security/
- 需要驗證 pam_radius_auth.so 添加到 /etc/pam.d/sshd 和 /etc/pam.d/login
/etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth auth include postlogin auth sufficient pam_radius_auth.so account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so
/etc/pam.d/sshd
#%PAM-1.0 auth required pam_radius_auth.so debug auth required pam_sepermit.so debug auth substack password-auth debug auth include postlogin debug # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
/etc/raddb/伺服器
# server[:port] shared_secret timeout (s) 10.0.0.1 test345 5
我自己設法解決了這個問題。
顯然,唯一需要改變的是 pam-modules 中的順序
/etc/pam.d/sshd
。該線
auth sufficient pam_radius_auth.so
必須在下方pam_sepermit.so
和上方password-auth
。實際上模組的順序
/etc/pam.d/login
也不正確。那裡的線
auth sufficient pam_radius_auth.so
應該在下面pam_securetty.so
和上面system-auth
。這就是文件現在的樣子:
/etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth sufficient pam_radius_auth.so auth substack system-auth auth include postlogin # auth sufficient pam_radius_auth.so account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so
/etc/pam.d/sshd
#%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_radius_auth.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare