Ubuntu
sshd pam 中來自 google-authenticator 的白名單 IP
我的 Ubuntu 12.04 伺服器使用 google-authenticator pam 模組為 ssh 提供兩步驗證。我需要使某個IP不需要輸入驗證碼。
/etc/pam.d/sshd 文件如下:
# PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password auth required pam_google_authenticator.so
我已經嘗試添加一個
auth sufficient pam_exec.so /etc/pam.d/ip.sh
google-authenticator 行上方的行,但我不明白如何在 bash 腳本中檢查 IP 地址。
您不能允許或拒絕使用 pam_exec 進行身份驗證。你應該做的是添加類似
account sufficient pam_access.so
就在 google authetnicator 行上方並
/etc/security/access.conf
輸入+:ALL:<ip>
我在帳戶密碼之前使用Google身份驗證器。因此我不能使用 pam_access 因為它繞過了帳戶密碼。所以我複製並實現了Google身份驗證器的核心白名單功能。
您可以從https://code.google.com/r/kazimsarikaya-google-authenticatior-withwhitelist/獲取它。