Ubuntu

sshd pam 中來自 google-authenticator 的白名單 IP

  • August 28, 2013

我的 Ubuntu 12.04 伺服器使用 google-authenticator pam 模組為 ssh 提供兩步驗證。我需要使某個IP不需要輸入驗證碼。

/etc/pam.d/sshd 文件如下:

# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

auth required pam_google_authenticator.so

我已經嘗試添加一個

auth sufficient pam_exec.so /etc/pam.d/ip.sh

google-authenticator 行上方的行,但我不明白如何在 bash 腳本中檢查 IP 地址。

您不能允許或拒絕使用 pam_exec 進行身份驗證。你應該做的是添加類似

account  sufficient pam_access.so

就在 google authetnicator 行上方並/etc/security/access.conf輸入

+:ALL:<ip>

我在帳戶密碼之前使用Google身份驗證器。因此我不能使用 pam_access 因為它繞過了帳戶密碼。所以我複製並實現了Google身份驗證器的核心白名單功能。

您可以從https://code.google.com/r/kazimsarikaya-google-authenticatior-withwhitelist/獲取它。

引用自:https://serverfault.com/questions/459523