帮助在同一本地网络 macOS 上绕过 SSH 2 因素身份验证

tag-icon tag-icon ssh sshd macos 2-factor-authentication
帮助在同一本地网络 macOS 上绕过 SSH 2 因素身份验证

由于我需要使用一些不同的应用程序,因此当 SSH 连接来自同一网络时,我需要能够绕过 Google 的 2 因素身份验证 pam.d 模块。网上关于这方面的信息很少,但堆栈网络上有一些问题,但没有一个解决方案对我有用。我不确定是因为这些解决方案是专门针对 Linux 的,还是我只是遗漏了一些东西。我在这里的所有实例中都使用 macOS。

我对这些设置不是很熟悉。如果我不在同一本地网络上,我确实需要密码、密钥和 2FA,但如果我在同一本地网络上,则跳过 2FA

当前设置:

SSH 需要有效的密钥、密码和 2 因素身份验证

文件内容:

/etc/pam.d/sshd

auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
auth       required       pam_google_authenticator.so nullok
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

/etc/ssh/ssh_config

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
#   HostbasedAuthentication no
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected]
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h

Host *
    SendEnv LANG LC_*

/etc/ssh/sshd_config

#Protocol Version
Protocol 2

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 360
ClientAliveCountMax 0
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# pass locale information
AcceptEnv LANG LC_*

# no default banner path
Banner /etc/ssh/banner

# override default of no subsystems
Subsystem   sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

编辑:

我尝试了下面列出的链接中堆栈帖子中列出的解决方案的几种不同组合,但我无法使提供的解决方案发挥作用。我不知道我的配置中是否缺少某些内容,或者是否与我使用 macOS 有关,或者 pam.d 中的 sshd 文件中列出的顺序是否不正确。

SSH - 仅需要来自本地网络外部的 google-authenticator

https://serverfault.com/questions/799657/ssh-google-authenticator-ignore-whitelist-ips

我尝试将其添加到 pam.d 中的 sshd 文件中:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf
auth sufficient pam_google_authenticator.so

并将 access.conf 文件添加到 /etc/security/access.conf 中:

+ : ALL : 10.0.1.0/24
+ : ALL : LOCAL
+ : ALL : 10.0.1.4
+ : ALL : 10.0.1.6
+ : ALL : 10.0.1.16
+ : ALL : 10.0.1.20
- : ALL : ALL

答案1

我在我的 Mac 上使用这个:

/etc/pam.d/sshd

# sshd: auth account password session
auth       binding        /usr/local/opt/google-authenticator-libpam/lib/security/pam_google_authenticator.so
auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

/etc/ssh/sshd_config

LogLevel VERBOSE
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
AuthenticationMethods publickey,keyboard-interactive:pam
ChallengeResponseAuthentication yes
UsePAM yes
AcceptEnv LANG LC_*
Subsystem   sftp    /usr/libexec/sftp-server
Match Address fc00::/7,10.0.1.0/24
    PasswordAuthentication no
    AuthenticationMethods publickey

这样,只有来自本地网络外部的连接才需要提供 2fa,本地连接仅基于 Pubkey。

答案2

请参阅“仅在从本地网络外部连接时请求 OTP”部分拱门维基:

要实现此目的,请创建一个文件(例如 /etc/security/access-local.conf)并添加您希望能够绕过 2FA 的网络:

# only allow from local IP range
+ : ALL : 192.168.20.0/24
# Additional network: VPN tunnel ip range (in case you have one)
+ : ALL : 10.8.0.0/24
+ : ALL : LOCAL
- : ALL : ALL

然后编辑 /etc/pam.d/sshd 并添加以下行:

#%PAM-1.0
#auth     required  pam_securetty.so     #disable remote root
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth      required  pam_google_authenticator.so
auth      include   system-remote-login
account   include   system-remote-login
password  include   system-remote-login
session   include   system-remote-login

我以为我使用的设置与 wiki 上的设置相同,但这是来自工作系统的配置:

#%PAM-1.0
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/otp-access.conf
auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok

更新 - 由于它仍然不适合您,因此仅首次使用

auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok

然后验证 2f auth 是否有效。您应该只使用 ssh 密钥和 2f 代码。它不应该要求输入密码。

success=done部分意味着一旦 2f 完成,它将退出 auth pam 堆栈,因此下面的 auth 行将不会被处理。

如果有效,请插入第一行

auth [success=done default=ignore] pam_access.so accessfile=/etc/security/otp-access.conf

这意味着如果 ip 正确,它将再次停止处理 auth pam 堆栈(并且不会转到带有 2f 的第二行)。

相关内容