我想要允许这两种身份validationtypes:公钥+谷歌authenticator 或密码+谷歌authenticator。
我在我的sshd_config有以下内容:
AuthenticationMethods publickey,keyboard-interactive:pam password,keyboard-interactive:pam UsePAM yes ChallengeResponseAuthentication yes PubkeyAuthentication yes PasswordAuthentication yes
而在/etc/pam.d/ssh我没有注释
#@include common-auth and added auth required pam_google_authenticator.so
在文件的末尾。
键+令牌路由仍然有效,但由于某种原因,我的密码总是被“拒绝访问”消息拒绝。
我发现只要将UsePAM设置为“是”,密码validation就会失败。 不知道为什么?
/etc/pam.d/sshd的内容:(这个文件对我来说似乎很长,但这只是Ubuntu的默认值,也许我可以把它缩短一下?)
# PAM configuration for the Secure Shell service # Standard Un*x authentication. #@include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password auth required pam_google_authenticator.so
/etc/pam.d/common-auth的内容:
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (eg, /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config
我的问题实际上分解为:如何与“AuthenticationMethods密码”一起使用“UsePAM yes”。 也许我应该删除这个问题,并打开一个新的?
我发现,每当我将
UsePAM设置为yes,密码authentication失败。 不知道为什么?
UsePAM选项使authentication方法password使用您想要使用的第二个因子相同的PAM模块。 这就是为什么它拒绝你的密码。
这是你的问题的答案,解释“为什么”,但不完整的解决scheme“如何使它变得更好”。 设置这个组合是棘手的。 我想学习如何简单而正确地做到这一点,但是到目前为止还是有时间的。 但我打开你的想法:)