我正在我工作的公司的出站服务器上配置 Google 双因素身份验证。
相关配置如下
/etc/ssh/sshd_config:
ubuntu@stage-itai-1:~$ egrep -v '^#' /etc/ssh/sshd_config | sed '/^\s*$/d'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Match Group gauth
AuthenticationMethods publickey,keyboard-interactive
/etc/pam.d/sshd:
ubuntu@stage-itai-1:~$ egrep -v '^#' /etc/pam.d/sshd | sed '/^\s*$/d'
auth required pam_google_authenticator.so nullok
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
应强制“gauth”组成员用户提供公钥和 Google 验证码,这是有意为之并且有效的。
应该强制要求不属于“gauth”组成员的用户提供公钥,但实际上他们无需提供公钥和密码就可以连接到机器。
机器上有一个特殊用户,称为“救援”,该用户应该被强制仅提供密码,其目的是永远不会被锁定在机器之外,但实际上用户根本不需要密码就可以连接。
我的问题是,我如何执行我的“假设”规则,这意味着:
- “gauth”组的用户必须提供公钥和 Google OTP
- 不属于“gauth”组成员的用户只有提供公钥才能登录。
- 用户“rescue”应该只能通过提供密码(或提供公钥)才能登录。
如何做呢?
编辑#1:
根据 FaCe 的回答,我进行了/etc/ssh/sshd_config如下配置:
我已将整个文件的 PasswordAuthentication 改回“是”,并将“ChallengeResponseAuthentication”改回“否”,然后在文件底部添加以下几行:
Match Group guath
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User rescue
PasswordAuthentication yes
ChallengeResponseAuthentication no
AuthenticationMethods password
重置 ssh 服务后,无论我使用哪个用户,我都无法登录,并出现以下错误:
ssh_exchange_identification: Connection closed by remote host
并且 中没有显示任何内容/var/log/auth.log。
有人可以解释一下此事吗?
答案1
您需要使用多个 Match Group 指令:
Match Group foo
# blah settings
Match Group bar
# blah settings
...
Standard settings
答案2
Match Group guath
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
不确定您的 Ubuntu 版本,但在 Debian Jessie 上,ChallengeResponseAuthentication关键字不能成为块的一部分Match。根据man sshd_config:
Only a subset of keywords may be used on the lines following a Match keyword.
Available keywords are:
AcceptEnv, AllowAgentForwarding, AllowGroups, AllowTcpForwarding, AllowUsers, AuthenticationMethods,
AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords,
PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAuthentication, RekeyLimit,
RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost.