我正在尝试在 LXD arch 容器内的 SSH 中设置 PAM 身份验证以及公钥身份验证。当我连接并提供正确的代码时,我会在服务器端的日志中收到以下信息:
Jan 31 21:04:41 arch sshd[2424]: PAM unable to resolve symbol: pam_sm_acct_mgmt
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: start of google_authenticator for "root"
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: "/root/.google_authenticator" read
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: shared secret in "/root/.google_authenticator" processed
Jan 31 21:04:41 arch sshd(pam_google_authenticator)[2426]: debug: google_authenticator for host "10.145.176.1"
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: debug: no scratch code used from "/root/.google_authenticator"
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: Accepted google_authenticator for root
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: debug: "/root/.google_authenticator" written
Jan 31 21:04:52 arch sshd(pam_google_authenticator)[2426]: debug: end of google_authenticator for "root". Result: Success
Jan 31 21:04:52 arch sshd[2424]: error: PAM: User account has expired for root from 10.145.176.1
Jan 31 21:04:52 arch sshd[2424]: fatal: monitor_read: unpermitted request 104
在连接方面,在我输入正确的代码后,它似乎连接了,但连接立即关闭:
user@magician:~
$ ssh [email protected]
([email protected]) Verification code:
Connection closed by 10.145.176.228 port 22
当我尝试使用临时代码(libpam-google-authenticator 提供的备份代码)连接时也会发生同样的情况,日志中唯一的区别是使用了临时代码。
改变了我的部分sshd_config
:
AuthenticationMethods publickey,keyboard-interactive:pam
PasswordAuthentication no
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
PermitRootLogin yes
UsePAM yes
我的/etc/pam.d/sshd
:
#%PAM-1.0
# auth include system-remote-login
# account include system-remote-login
# password include system-remote-login
# session include system-remote-login
auth required pam_google_authenticator.so debug
account required pam_google_authenticator.so debug
root 帐户尚未过期。输出chage -l root
:
Last password change : Sep 19, 2010
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
答案1
“chage”输出仅与 pam_unix.so 的结果相关,但这不是这里涉及的唯一模块 - 您的 PAMaccount
会话也将 pam_google_authenticator.so 列为“必需”。
但是,pam_google_authenticator.so 没有“帐户”功能的处理程序(它仅处理“身份验证”阶段),并且为“帐户”配置它很可能会导致默认报告一般错误。
换句话说,删除account required pam_google_authenticator.so
,因为它不是用户授权模块,只有一个认证模块。