PAM 身份验证问题

tag-icon tag-icon linux ssh arch-linux pam google-authenticator
PAM 身份验证问题

我正在尝试在 LXD arch 容器内的 SSH 中设置 PAM 身份验证以及公钥身份验证。当我连接并提供正确的代码时,我会在服务器端的日志中收到以下信息:

Jan 31 21:04:41 arch sshd[2424]: PAM unable to resolve symbol: pam_sm_acct_mgmt
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: start of google_authenticator for "root"
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: "/root/.google_authenticator" read
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: shared secret in "/root/.google_authenticator" processed
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: google_authenticator for host "10.145.176.1"
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: debug: no scratch code used from "/root/.google_authenticator"
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: Accepted google_authenticator for root
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: debug: "/root/.google_authenticator" written
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: debug: end of google_authenticator for "root". Result: Success
Jan 31 21:04:52 arch sshd[2424]: error: PAM: User account has expired for root from 10.145.176.1
Jan 31 21:04:52 arch sshd[2424]: fatal: monitor_read: unpermitted request 104

在连接方面,在我输入正确的代码后,它似乎连接了,但连接立即关闭:

user@magician:~
 $ ssh [email protected]                                                                                 
([email protected]) Verification code: 
Connection closed by 10.145.176.228 port 22

当我尝试使用临时代码(libpam-google-authenticator 提供的备份代码)连接时也会发生同样的情况,日志中唯一的区别是使用了临时代码。

改变了我的部分sshd_config

AuthenticationMethods publickey,keyboard-interactive:pam 
PasswordAuthentication no 
KbdInteractiveAuthentication yes 
ChallengeResponseAuthentication yes
 PermitRootLogin yes 
UsePAM yes

我的/etc/pam.d/sshd

#%PAM-1.0 
# auth      include   system-remote-login 
# account   include   system-remote-login
# password  include   system-remote-login
# session   include   system-remote-login
auth required pam_google_authenticator.so debug 
account required pam_google_authenticator.so debug

root 帐户尚未过期。输出chage -l root

Last password change                                    : Sep 19, 2010
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1

答案1

“chage”输出仅与 pam_unix.so 的结果相关,但这不是这里涉及的唯一模块 - 您的 PAMaccount会话也将 pam_google_authenticator.so 列为“必需”。

但是,pam_google_authenticator.so 没有“帐户”功能的处理程序(它仅处理“身份验证”阶段),并且为“帐户”配置它很可能会导致默认报告一般错误。

换句话说,删除account required pam_google_authenticator.so,因为它不是用户授权模块,只有一个认证模块。

相关内容