操作系统:CentOS 6.5 SSH v5.3
目标:
来自多个主机的PubKeyAuthentication允许根访问。
“group1”的用户可以使用他们提供的任何内容login:PubKey,Password,GSSAPI,KerberosPassword; 但是只允许从一个特定的IP:192.168.1.10到达
状态:根访问已经通过~/.ssh/authorized_keys多个from=""条目来定义,并且按照预期工作。
问题:group1的用户可以从192.168.1.10或其他地方到达; 或完全locking(使用较早的testingconfiguration)。
我尝试了几个变化,但无济于事。
/etc/pam.d/sshd外观如下所示:
auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet
目前我在sshd_config :
PermitRootLogin without-password PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication no UsePAM yes AllowGroups root group1 Match Group [email protected] KerberosAuthentication yes PasswordAuthentication yes GSSAPIAuthentication yes PubKeyAuthentication yes Match Group root PubKeyAuthentication yes
任何build议?
我find了一个工作解决scheme sshddebugging模式( /usr/sbin/sshd -ddd )指示缺less的链接:
debug1: connection from 192.168.1.111 matched 'Address *' debug3: match found [...] Accepted **keyboard-interactive/pam** for xxx from \ 192.168.1.111 port 54282 ssh2
正如你所看到的login符合正确的块; 但由于UsePAM yes PAM显然否决Match Address *块中的“否” – 条目; 见手册:
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using [...] PasswordAuthentication
最终的configuration如下所示:
PermitRootLogin without-password PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication no UsePAM yes AllowGroups root group1 Match Address 192.168.1.10 KerberosAuthentication yes PasswordAuthentication yes GSSAPIAuthentication yes PubKeyAuthentication yes KbdInteractiveAuthentication yes Match Group root PubKeyAuthentication yes Match Address * KerberosAuthentication no PasswordAuthentication no GSSAPIAuthentication no PubKeyAuthentication no KbdInteractiveAuthentication no
只有在添加了KbdInteractiveAuthentication no之后, KbdInteractiveAuthentication no禁止此密码的PAM密码function,并且来自任何地方的用户现在都已被成功拒绝。