Debian

Debian 添加一個新的 PAM 模組並且即使密碼驗證失敗也需要它?

  • December 25, 2019

我有這些行/etc/pam.d/sshd

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password

現在我安裝了google-authenticator並附auth required /usr/local/lib/security/pam_google_authenticator.so authtok_prompt=TOTP?加到該文件的末尾。現在它可以工作了,但是如果我輸入了錯誤的密碼,身份驗證將立即失敗,而不需要 OTP。

我想要的是,如果輸入的任何一個不正確,系統仍然提示輸入另一個,然後輸出Access Denied(不提示哪個錯誤)。

根據上面的文件,有 OTP 模組並pam_unix.so設置為required應該做的工作。但在我的系統上似乎pam_unix.so在另一個文件(@include common-password)中。這是該文件的內容:

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password        [success=1 default=ignore]      pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

我不知道我是否應該修改這個文件,因為似乎其他文件仍然依賴它,我只希望 OTP 模組在 SSH 會話中工作。我應該修改什麼?任何幫助表示讚賞。

您可能有common-auth以下幾行:

auth    [success=1 default=ignore]  pam_unix.so nullok_secure
auth    requisite                   pam_deny.so
auth    required                    pam_permit.so

如果pam_unix中的密碼失敗,PAM 將轉到下一行,這是無條件失敗並且是必需的,因此身份驗證在此處停止。如果驗證正確,則將跳過第二行。

您可能希望將其替換為@include common-auth

auth    required    pam_unix.so nullok_secure
auth    required    /usr/local/lib/security/pam_google_authenticator.so authtok_prompt=TOTP?

common-auth並從(pam_cap.so?)添加一些其他模組。

引用自:https://serverfault.com/questions/996717