为了允许2FA在我的域中,我设置了一个林OTP服务器来管理我的领域中的令牌和用户(来自 LDAP)之间的映射。
因此,我配置了PAM 堆栈将此身份验证方法也集成到 SSH 会话中:
# /etc/pam.d/sshd
# =========================================================
#%PAM-1.0
auth required pam_sepermit.so
# OTP Check
auth [success=1 default=ignore] pam_python.so\
/lib/security/pam_linotp.py nosslhostnameverify nosslcertverify\
url=https://mylinotpsrv.local/validate/simplecheck realm=MYDOMAIN debug
auth requisite pam_deny.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
然后,我尝试打开一个连接:,并且:ssh [email protected]@192.168.0.12
- OTP(在我的情况下由 Google Authenticator 提供)已正确验证;
- 用户名/密码对应关系已正确检查。
但是,当完成上述双重检查时,我发现一个错误:Write Error: Broken Pipe。
日志如下:
/var/log/secure
====================================================================================================
Mar 9 15:25:09 mflinux01 sshd[8215]: Set /proc/self/oom_score_adj to 0
Mar 9 15:25:09 mflinux01 sshd[8215]: Connection from 192.168.0.13 port 33926 on 192.168.0.12 port 22
Mar 9 15:25:09 mflinux01 sshd[8215]: Postponed keyboard-interactive for [email protected] from 192.168.0.13 port 33926 ssh2 [preauth]
Mar 9 15:25:17 mflinux01 sshd[8215]: Postponed keyboard-interactive/pam for [email protected] from 192.168.0.13 port 33926 ssh2 [preauth]
Mar 9 15:25:20 mflinux01 sshd[8217]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.13 [email protected]
Mar 9 15:25:20 mflinux01 sshd[8220]: pam_krb5[8220]: got error -1 (Unknown code ____ 255) while obtaining tokens for cern.ch
Mar 9 15:25:20 mflinux01 sshd[8215]: Postponed keyboard-interactive/pam for [email protected] from 192.168.0.13 port 33926 ssh2 [preauth]
Mar 9 15:25:20 mflinux01 sshd[8215]: Accepted keyboard-interactive/pam for [email protected] from 192.168.0.13 port 33926 ssh2
Mar 9 15:25:20 mflinux01 sshd[8215]: fatal: PAM: pam_setcred(): Failure setting user credentials
/var/log/message
====================================================================================================
Mar 9 15:25:01 mflinux01 systemd: Created slice user-988.slice.
Mar 9 15:25:01 mflinux01 systemd: Starting user-988.slice.
Mar 9 15:25:01 mflinux01 systemd: Started Session 12 of user pcp.
Mar 9 15:25:01 mflinux01 systemd: Starting Session 12 of user pcp.
Mar 9 15:25:03 mflinux01 systemd: Removed slice user-988.slice.
Mar 9 15:25:03 mflinux01 systemd: Stopping user-988.slice.
Mar 9 15:25:09 mflinux01 pam_linotp[8217]: start pam_linotp.py authentication: 1, ['/lib/security/pam_linotp.py', 'nosslhostnameverify', 'nosslcertverify', 'url=https://192.168.0.14/validate/simplecheck', 'realm=MYDOMAIN', 'debug']
Mar 9 15:25:09 mflinux01 pam_linotp[8217]: got no password in authtok - trying through conversation
Mar 9 15:25:16 mflinux01 pam_linotp[8217]: got password: 932410
Mar 9 15:25:16 mflinux01 pam_linotp[8217]: calling url https://192.168.0.14/validate/simplecheck {'realm': 'MYDOMAIN', 'user': '[email protected]', 'pass': '932410'}
Mar 9 15:25:17 mflinux01 pam_linotp[8217]: :-)
Mar 9 15:25:17 mflinux01 pam_linotp[8217]: user successfully authenticated
Mar 9 15:25:20 mflinux01 sshd: Please note: pam_linotp does not support setcred
通过在网上寻找解决方案,我还设置/etc/ssh/ssh_config并/etc/ssh/sshd_config添加ClientAliveInterval 120和ServerAliveInterval 120,但错误仍然存在。
考虑到,通过删除auth requisite pam_deny.soPAM 堆栈中删除,OTP 当然没有得到正确验证(它始终是正确的),但在用户名/密码检查之后,SSH 身份验证可以工作。
您对这个问题的解决办法有什么线索吗?
注意:我环境中的所有 Linux 机器都基于CentOS 7。
更新:
如下可以找到password-authPAM conf的当前版本:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
答案1
身份验证成功,您可以在 :-) 中看到。显然这是您剩余的堆栈。
如果你说,当你删除 pam denied 时,它起作用了,那么你显然遇到了问题
auth substack password-auth
[success=1 default=ignore] 表示如果成功,则跳过下一个 (1) 条目。因此,删除 pam_deny 时会跳过 password-auth 条目。因此,请查看此子轨道!
更新:
可能是因为线路问题导致失败
auth sufficient pam_sss.so forward_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
OTP 未通过 sssd 或 kerberos 成功验证。因此您将遇到 pam_deny。