我在测试服务器上有一个带 MFA 身份验证的 pam.d 配置。我注意到文件中的 IP 地址无需 MFA 即可访问.conf提到,无需密码和私人公钥即可登录。
预期结果是 access-without-MFA.conf 文件中的 IP 地址不需要 MFA,但仍需要公钥/私钥或密码才能登录。我尝试过改变位置并将列表放在下面,但在这种情况下,每次登录都需要密码并忽略公钥。ssh-copy-id 没有帮助。这不允许任何自动化。
#%PAM-1.0
#
# skip one-time password for special hosts
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-without-MFA.conf
#
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
# skip one-time password for special hosts
#auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-without-MFA.conf
#
# one time password required
auth required pam_google_authenticator.so echo_verification_code
#
无需 MFA 即可访问.conf
- test-vm login without pwd
+ : ALL : 10.xx.xx.xx
#
+ : ALL : LOCAL
- : ALL : ALL