Ssh
一個帳戶需要 SSH 密鑰 + Google Authenticator,另一個帳戶需要 SSH 密鑰
我正在嘗試設置 SSH 身份驗證結構,但我正在努力解決 /etc/ssh/sshd_config 與 /etc/pam.d/sshd 中的問題。
要求:
- 具有 root/sudo 權限的帳戶
- 要求公鑰認證,緊隨其後的是
- Google身份驗證器
- 非特權帳戶
- 只需要公鑰認證
換句話說,不應允許基於密碼的身份驗證,並且始終需要公鑰身份驗證,有條件地需要 Google Authenticator
什麼工作:
特權帳戶完全按照我的需要工作:公鑰後跟 Google Authenticator。我還驗證了 ~/.ssh/authorized_keys 中缺少的公鑰被拒絕,並驗證了不提供任何密鑰的登錄嘗試被拒絕。
什麼不起作用:
非特權帳戶似乎正確提示輸入密碼以解鎖私鑰,我認為密鑰成功。但身份驗證失敗並顯示以下消息:
Permission denied (keyboard-interactive).
$ ssh -v -i id_rsa_unprivileged unprivileged@blahblah debug1: Server accepts key: pkalg ssh-rsa blen 2071 Enter passphrase for key 'id_rsa_unprvileged': Authenticated with partial success. debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: keyboard-interactive debug1: No more authentication methods to try. unprivileged@blahblah: Permission denied (keyboard-interactive).
$ sudo cat /var/log/auth.log Sep 3 00:44:13 hostname sshd[4249]: pam_succeed_if(sshd:auth): requirement "user ingroup 2faexempt" was met by user "unprivileged" Sep 3 00:44:13 hostname sshd[4247]: error: PAM: Permission denied for unprivileged from IP ADDRESS Sep 3 00:44:13 hostname sshd[4247]: Connection closed by IP ADDRESS port PORT [preauth]注意:非特權帳戶正確拒絕 ~/.ssh/authorized_keys 中缺少的公鑰,並拒絕不提供密鑰的登錄嘗試。
我做了什麼:
我的策略是創建一個名為“2faexempt”的組,並添加那些應該免於 2 因素身份驗證的帳戶(非特權帳戶)。然後我編輯了 /etc/ssh/sshd 和 /etc/pam.d/sshd 以反映我需要的策略。
$ cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Port 22 AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # USER ADDED # AuthenticationMethods publickey,keyboard-interactive #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
$ cat /etc/pam.d/sshd # PAM configuration for the Secure Shell service # USER COMMENTED # ## Standard Un*x authentication. #@include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password # USER ADDED # auth [success=1 default=ignore] pam_succeed_if.so user ingroup 2faexempt auth sufficient pam_google_authenticator.so
我想了一個辦法讓它工作。它看起來非常hacky,但它確實有效。
對我來說似乎不安全。
$ cat relevant section of /etc/pam.d/sshd ... # USER COMMENTED # ## Standard Un*x authentication. #@include common-auth ... # USER ADDED # auth [success=1 default=ignore] pam_succeed_if.so user ingroup 2faexempt auth requisite pam_google_authenticator.so auth required pam_permit.so