我正在为我工作的公司中的出站服务器configurationGoogle双因素身份validation。
这里是相关的configuration: /etc/ssh/sshd_config :
ubuntu@stage-itai-1:~$ egrep -v '^#' /etc/ssh/sshd_config | sed '/^\s*$/d' Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 1024 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin without-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication yes PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes Match Group gauth AuthenticationMethods publickey,keyboard-interactive
/etc/pam.d/sshd :
ubuntu@stage-itai-1:~$ egrep -v '^#' /etc/pam.d/sshd | sed '/^\s*$/d' auth required pam_google_authenticator.so nullok account required pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password
作为“gauth”组的成员的用户应该被强制提供publickey和Googlevalidation代码,这是有意和正在工作的。
不是“gauth”组的成员的用户应该被强制提供公钥,但是实际上他们能够连接到机器而不提供公钥和密码。
机器上有一个叫做“救援”的特殊用户,这个用户应该强制只提供一个密码,目的是永远不会被locking在机器外面,但实际上用户可以在没有密码。
我的问题是,我如何执行我的“假定”规则,这意味着:
如何做呢?
编辑#1:
按照FaCe的回答,我已经configuration了/etc/ssh/sshd_config像这样:
我已经将PasswordAuthentication更改回“Yes”和“ChallengeResponseAuthentication”改为整个文件的“No”,然后在文件底部添加以下几行:
Match Group guath PasswordAuthentication no ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive Match User rescue PasswordAuthentication yes ChallengeResponseAuthentication no AuthenticationMethods password
重置ssh服务后,我无法login,无论使用哪一个用户,我收到以下错误:
ssh_exchange_identification: Connection closed by remote host
而且什么都不显示在/var/log/auth.log 。
任何人都可以请解释一下这个问题?
您需要使用多个匹配组指令:
Match Group foo # blah settings Match Group bar # blah settings ... Standard settings
Match Group guath PasswordAuthentication no ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive
不确定你的Ubuntu版本,但在Debian Jessie上, ChallengeResponseAuthentication关键字不能成为Match块的一部分。 按照man sshd_config :
Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are: AcceptEnv, AllowAgentForwarding, AllowGroups, AllowTcpForwarding, AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAuthentication, RekeyLimit, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost.