Ssh

帶有 yubikey 的 SSH 兩因素身份驗證 (2FA)

  • April 11, 2022

我有這個漂亮的小 yubikey,我想在驗證 ssh 會話時添加額外的安全層。在伺服器端,我已經禁用了密碼驗證,並且只允許在登錄時使用 ssh 密鑰。

問題是,在為 yubikey auth 配置 sshd 和 PAM 之後,sshd 仍然只需要一個 ssh 密鑰,我從來沒有被要求提供 yubikey 的響應。

我如何同時需要ssh 密鑰yubikey?

(ubuntu 14.04 - trusty)

/etc/pam.d/common-auth:

auth    required    pam_yubico.so mode=client try_first_pass id=<id> key=<secret>
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional            pam_cap.so
# end of pam-auth-update config

/etc/ssh/sshd_config:

...

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

好的,我堅持下去,我想我已經想出了一個合理的解決方案。我之前缺少的主要內容是 sshd 的AuthenticationMethods publickey,password. 這強制要求公鑰密碼——“密碼”現在由PAM->auth-yubi. 還需要進行其他更改,見下文:

(ubuntu 14.04 - 值得信賴):

/etc/pam.d/yubi-auth

auth    required pam_yubico.so mode=client try_first_pass id=<id> key=<key>

注意:您可以在此處獲取您的訪問 ID 和密鑰

/etc/pam.d/sshd

# Standard Un*x authentication.
#@include common-auth

# Yubikey auth
@include yubi-auth

/etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication no
AuthenticationMethods publickey,password
PasswordAuthentication yes

service ssh restart

確認

來自沒有公鑰的遠端主機的 SSH

root@0a6442bcb21c:/# ssh ben@192.168.1.20
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
ECDSA key fingerprint is ea:2a:e3:98:35:72:66:b1:e0:65:6b:3f:60:8a:af:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.20' (ECDSA) to the list of known hosts.
Permission denied (publickey).

來自具有公鑰的遠端主機的 SSH

$ ssh ben@192.168.1.20
Authenticated with partial success.
ben@192.168.1.20's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64)

改進

驗證時從遠端 ssh 伺服器看到“Yubikey Auth:”而不是“password:”會很好。

當 ssh 伺服器無法聯繫到 yubico 的 auth 驗證系統時會發生什麼?理想的解決方案將是完全獨立的。

意見和建議表示讚賞。

引用自:https://serverfault.com/questions/742054