ssh 键盘身份验证:何时输入 Google Authenticator 代码

ssh 键盘身份验证:何时输入 Google Authenticator 代码

这些问题似乎相关:

我相信我的情况已经足够不同,可以开始新的讨论。


我已经设置了 ssh 以使用 PAM,并带有 Google-Authenticator。我已将必要的行添加到和/etc/ssh/sshd_config/etc/pam.d/sshd并在两台计算机和应用程序上设置了 Google Authenticator。每个系统的公钥都复制到另一个系统上。

/etc/ssh/sshd_config

PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam

/etc/pam.d/sshd

#%PAM-1.0
auth     required  pam_securetty.so     #disable remote root
# require google authenticator
auth      required  pam_google_authenticator.so
# but not password
#auth      include   system-remote-login
account   include   system-remote-login
password  include   system-remote-login
session   include   system-remote-login

这是的输出ssh -vvv 192.IP.address.0

OpenSSH_7.4p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ...
...
debug2: service_accept: ssh-userauth
...
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/trespaul/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok
debug3: sign_and_send_pubkey
Enter passphrase for key '/home/trespaul/.ssh/id_rsa': 
debug3: send packet: type 50
debug3: receive packet: type 51
Authenticated with partial success.
debug1: Authentications that can continue: **keyboard-interactive**
debug3: **start over**, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: **keyboard-interactive**
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: **we sent a keyboard-interactive packet**, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (keyboard-interactive).

在最后两个粗体/双星号(“下一个身份验证方法是 kbd interactive”和“我们发送了一个数据包”)之间,系统未要求我输入 OTP。这是为什么?我遗漏了什么?

额外信息

libpam-google-authenticator在 Arch 上安装了 AURmake install等。

编辑:服务器日志

journalctl在服务器上有以下内容:

systemd[1]: Started OpenSSH Per-Connection Daemon (10.0.0.5:38150).
sshd[1376]: PAM unable to dlopen(/usr/lib/security/pam_google_authenticator.so): /usr/lib/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
sshd[1376]: PAM adding faulty module: /usr/lib/security/pam_google_authenticator.so
sshd[1376]: error: PAM: Module is unknown for paul from 10.0.0.5
sshd[1376]: Connection closed by 10.0.0.5 port 38150 [preauth]

谢谢。

答案1

libpam-google-authenticatormake install使用等等从 AUR 安装。

这不是从 AUR 安装东西的方式。

AUR 软件包已经有自己的构建和安装说明 - 文件PKGBUILD,它已经将必要的文件复制到它们的位置,甚至.pkg.tar.gz用它们创建一个文件。构建一个的正确方法是makepkg

makepkg -sirc

将构建、安装和清理。

如果你下载的文件中没有 怎么办PKGBUILD?那么你下载了错误的文件。可以从最右边的框中的链接获取顶级软件包源,

答案2

所以我解决了这个问题

sudo cp '.../AUR Package/.libs/pam_google_authenticator.so' /usr/lib/security/pam_google_authenticator.so

错误是缺少.so文件,这意味着安装过程中出现了问题或者我错过了某些东西。


但这似乎不是最佳实践。如果有人有更好、更优雅的解决方案,请随时添加为答案。

相关内容