Debian
Debian 添加一個新的 PAM 模組並且即使密碼驗證失敗也需要它?
我有這些行
/etc/pam.d/sshd
:# PAM configuration for the Secure Shell service # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password
現在我安裝了google-authenticator並附
auth required /usr/local/lib/security/pam_google_authenticator.so authtok_prompt=TOTP?
加到該文件的末尾。現在它可以工作了,但是如果我輸入了錯誤的密碼,身份驗證將立即失敗,而不需要 OTP。我想要的是,如果輸入的任何一個不正確,系統仍然提示輸入另一個,然後輸出Access Denied(不提示哪個錯誤)。
根據上面的文件,有 OTP 模組並
pam_unix.so
設置為required
應該做的工作。但在我的系統上似乎pam_unix.so
在另一個文件(@include common-password
)中。這是該文件的內容:# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password [success=1 default=ignore] pam_unix.so obscure sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
我不知道我是否應該修改這個文件,因為似乎其他文件仍然依賴它,我只希望 OTP 模組在 SSH 會話中工作。我應該修改什麼?任何幫助表示讚賞。
您可能有
common-auth
以下幾行:auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so
如果pam_unix中的密碼失敗,PAM 將轉到下一行,這是無條件失敗並且是必需的,因此身份驗證在此處停止。如果驗證正確,則將跳過第二行。
您可能希望將其替換為
@include common-auth
:auth required pam_unix.so nullok_secure auth required /usr/local/lib/security/pam_google_authenticator.so authtok_prompt=TOTP?
common-auth
並從(pam_cap.so?)添加一些其他模組。