我的Ubuntu 12.04服务器使用google-authenticator pam模块为ssh提供两步验证,需要让某个IP不需要输入验证码。
/etc/pam.d/sshd 文件如下:
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so
我已经尝试添加
auth sufficient pam_exec.so /etc/pam.d/ip.sh
行位于 google-authenticator 行上方,但我不明白如何在 bash 脚本中检查 IP 地址。
答案1
您无法允许或拒绝使用 pam_exec 进行身份验证。您应该做的是添加类似以下内容的内容
account sufficient pam_access.so
在 google authenticator 行上方/etc/security/access.conf输入
+:ALL:<ip>
答案2
我在输入账户密码之前使用了 google 身份验证器。因此我无法使用 pam_access,因为它会绕过账户密码。因此我克隆了 google 身份验证器并实现了核心白名单功能。
您可以从https://code.google.com/r/kazimsarikaya-google-authenticatior-withwhitelist/。