我正在尝试在 RHEL 7 上设置 MFA,但遇到了先有鸡还是先有蛋的问题。如果我在 pam 中启用 MFA,您将无法登录来设置 .google-authenticator 文件。我知道 pam 中的 nullok 选项应该允许它工作并通过,但我没有任何运气。最终目标是使用可选 MFA 进行公钥 ssh 访问。注意:如果我在启用 pam 模块之前创建 .google-authenticator 文件,MFA 可以正常工作。
# ssh client debug *snip*
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
# secure log
Sep 29 09:44:28 ip-xxxxxx sshd(pam_google_authenticator)[9502]: debug: start of google_authenticator for "ec2-user"
Sep 29 09:44:28 ip-xxxxxx sshd[9500]: error: PAM: Permission denied for ec2-user from xxxxxxxxxxxx
# /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
#auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
auth required pam_google_authenticator.so nullok debug
# /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
AuthenticationMethods publickey,keyboard-interactive
答案1
我不是 pam 专家,但您的 pam 配置看起来不适合 google auth。
这是添加了 nullok 的文件。
猫/etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth requisite pam_google_authenticator.so forward_pass nullok
auth required pam_sss.so use_first_pass
#auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
其次,你的 ssh 配置要求同时输入 sshkey 和密码,你需要一个空格,而不是逗号
AuthenticationMethods "publickey" "password"
如果您使用 kerberos + putty-cac,则可以使用 google auth mfa 备份进行 SSO MFA。
AuthenticationMethods "publickey,gssapi-with-mic" "password"
如果我理解正确,您应该nullok在配置选项中删除 , 并将逗号替换为空格AuthenticationMethods。这样可以实现无需密码的公钥身份验证,或者使用 google auth 时需要密码,但不能在没有 google auth 的情况下需要密码。