CentOS 7 SSH 和 2FA(ESET 安全身份验证)

tag-icon tag-icon centos ssh authentication pam radius
CentOS 7 SSH 和 2FA(ESET 安全身份验证)

我无法在 CentOS 7 中进行双重身份验证;具体来说是通过 SSH 和 OTP 进行的身份验证。

如果有人能帮助我,我将非常感激。:)

编辑:我从下面的日志中了解到,pam 模块要求 RADIUS 服务器进行身份验证,服务器以代码 11 响应,因此 pam 模块要求用户输入 OTP,但模块只是说“身份验证失败”。所以问题应该是出在客户端,对吧?

以下是尝试使用帐户“通过 SSH 登录的日志[电子邮件保护]“:

sshd[3652]: pam_radius_auth: Got user name [email protected]
sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set
sshd[3652]: pam_radius_auth: Sending RADIUS request code 1
sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0.
sshd[3652]: pam_radius_auth: Got RADIUS response code 11
sshd[3652]: pam_radius_auth: authentication failed
sshd[3652]: pam_sepermit(sshd:auth): Parsing config file:     /etc/security/sepermit.conf
sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match
sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1
sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 [email protected]
sshd[3652]: Failed password for [email protected] from 10.0.0.31 port 57962 ssh2
sshd[3652]: Connection closed by 10.0.0.31 [preauth]

以下是配置和设置信息

测试环境由我公司的基础设施提供;我们主要使用 Windows 客户端以及大约相同份额的 Windows 和 Linux 服务器。

Win-服务器:Windows Server 2016 x64

  • 活动目录:Test.local
  • ESET 安全身份验证(RADIUS 服务器)
    • 与客户端共享的秘密:test345
    • 选项“使用 RADIUS 的访问质询功能”已启用

Linux-客户端/服务器:CentOS 7.3 x64

  • 通过 realm 加入域 Test.local
  • 始终使用 AD 帐户和 OTP-2FA 进行本地登录
  • 仅当 /etc/pam.d/sshd 中的 pam_radius_auth.so 未设置为必需时,才可以使用任何帐户进行 SSH 登录(这意味着没有 2FA)

配置Linux 客户端/服务器:

  • 在 /etc/raddb/server 中添加 RADIUS-Server 和 Shared-Secret
  • pam_radius_auth.so 位于 /usr/lib64/security/
  • 身份验证需要 pam_radius_auth.so 添加到 /etc/pam.d/sshd 和 /etc/pam.d/login

/etc/pam.d/登录

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
auth       sufficient   pam_radius_auth.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

sshd 配置文件

#%PAM-1.0
auth       required     pam_radius_auth.so    debug
auth       required pam_sepermit.so      debug
auth       substack     password-auth      debug
auth       include      postlogin     debug
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

/etc/raddb/服务器

# server[:port] shared_secret      timeout (s)
10.0.0.1        test345            5

答案1

我已经设法自己解决了这个问题。

显然,唯一需要改变的是 pam-modules 的顺序/etc/pam.d/sshd

该线auth sufficient pam_radius_auth.so必须位于下方pam_sepermit.so和上方password-auth

实际上模块的顺序/etc/pam.d/login也不正确。

该线auth sufficient pam_radius_auth.so应位于 的下方pam_securetty.so和 的上方system-auth

文件现在的样子如下:

/etc/pam.d/登录

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       sufficient   pam_radius_auth.so
auth       substack     system-auth
auth       include      postlogin
# auth       sufficient   pam_radius_auth.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

sshd 配置文件

#%PAM-1.0
auth       required pam_sepermit.so
auth       sufficient   pam_radius_auth.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

相关内容