我想要求每个用户都使用 Google Authenticator 的 MFA。每次添加新用户时,我都希望允许他们仅使用 SSH 密钥登录一次,并在登录时要求他们通过在其 中运行 GAuth 设置来创建密钥.bash_login。这将~/.google_authenticator在他们的主目录中创建。我遵循这些说明(Ctrl+F“强制创建的另一种方法”)设置我的sshd_config和pam.d。它们如下,已删除注释:
/etc/ssh/sshd_config
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
AllowUsers me him
PermitRootLogin no
MaxStartups 15
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
/etc/pam.d/sshd
# Standard Un*x authentication.
#@include common-auth
account required pam_nologin.so
# Standard Un*x authorization.
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullok
据我所知,最后一行的“nullok”表示如果未设置密钥,则无需任何操作即可满足该身份验证要求。但是,当我尝试使用未配置密钥的用户登录时,我收到如下信息:
$ ssh him@my_device
[email protected]: Permission denied (keyboard-interactive).
一旦创建了文件,登录应该可以顺利进行。如何在不存在的.google_authenticator情况下允许这种登录?.google_authenticator
顺便说一下,这是 Ubuntu 18.04 LTS。
答案1
我注意到项目自述文件有一个更新,添加了有关该nullok选项的信息。
PAM requires at least one `SUCCESS` answer from a module, and `nullok`
causes this module to say `IGNORE`. This means that if this option is
used at least one other module must have said `SUCCESS`. One way to do
this is to add `auth required pam_permit.so` to the end of the PAM
config.