我从一位离职同事那里继承了一套系统。他在系统上设置了双因素身份验证,除了用户root和ftpupload。
但是,有一位特定用户拥有 SSH 访问权限,但不需要双重身份验证。该用户只需使用用户名和密码即可登录!
我注意到他设置了组内的所有用户disable2fa都需要双重身份验证。我只看到该组中的以下用户:
$ getent group disable2fa
disable2fa:x:2003:root,publicftpupload
我检查了 PAM 文件(sudo nano /etc/pam.d/sshd)并看到以下内容:
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
auth [success=done default=ignore] pam_succeed_if.so user ingroup disable2fa
auth required pam_google_authenticator.so nullok
还有什么地方需要检查吗?有人能帮忙吗?谢谢!
答案1
这就是这一行的作用:
auth [success=done default=ignore] pam_succeed_if.so user ingroup disable2fa
ok
this tells PAM that the administrator thinks this return code should contribute
directly to the return code of the full stack of modules. In other words, if the
former state of the stack would lead to a return of PAM_SUCCESS, the module's return
code will override this value. Note, if the former state of the stack holds some value
that is indicative of a modules failure, this 'ok' value will not be used to override
that value.
done
equivalent to ok with the side effect of terminating the module stack and PAM
immediately returning to the application.
本质上success=done意味着,如果这个模块成功了,就不需要再检查其他内容了,所以pam_google_authenticator.so如果这个模块成功了,后面的部分就会被跳过,这个模块只检查用户是组disable2fa:
user ingroup group
User is in given group.
答案2
您可以取消配置 PAM 配置文件中的“user ingroup disable2fa”行,并将其替换为以下记录的设置:
这样,只有配置了 Google Authenticator 令牌(~/.google_authenticator 文件)的用户才会被要求输入验证码。“用户组内”设置对我来说是个问号,直到我在文档中找到 nullok 参数。
它非常有效!