为了允许我的域中的2FA ,我设置了一个LinOTP服务器来pipe理我的领域中的令牌和用户之间的映射(来自LDAP)。
因此,我configuration了PAM堆栈以将此身份validation方法也用于SSH会话:
# /etc/pam.d/sshd # ========================================================= #%PAM-1.0 auth required pam_sepermit.so # OTP Check auth [success=1 default=ignore] pam_python.so\ /lib/security/pam_linotp.py nosslhostnameverify nosslcertverify\ url=https://mylinotpsrv.local/validate/simplecheck realm=MYDOMAIN debug auth requisite pam_deny.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare 然后,我尝试打开一个连接: ssh [email protected]@192.168.0.12 ,并且:
但是,当上面的双重检查完成时,我得到一个错误: Write Error: Broken Pipe 。
日志如下:
/var/log/secure ==================================================================================================== Mar 9 15:25:09 mflinux01 sshd[8215]: Set /proc/self/oom_score_adj to 0 Mar 9 15:25:09 mflinux01 sshd[8215]: Connection from 192.168.0.13 port 33926 on 192.168.0.12 port 22 Mar 9 15:25:09 mflinux01 sshd[8215]: Postponed keyboard-interactive for [email protected] from 192.168.0.13 port 33926 ssh2 [preauth] Mar 9 15:25:17 mflinux01 sshd[8215]: Postponed keyboard-interactive/pam for [email protected] from 192.168.0.13 port 33926 ssh2 [preauth] Mar 9 15:25:20 mflinux01 sshd[8217]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.13 [email protected] Mar 9 15:25:20 mflinux01 sshd[8220]: pam_krb5[8220]: got error -1 (Unknown code ____ 255) while obtaining tokens for cern.ch Mar 9 15:25:20 mflinux01 sshd[8215]: Postponed keyboard-interactive/pam for [email protected] from 192.168.0.13 port 33926 ssh2 [preauth] Mar 9 15:25:20 mflinux01 sshd[8215]: Accepted keyboard-interactive/pam for [email protected] from 192.168.0.13 port 33926 ssh2 Mar 9 15:25:20 mflinux01 sshd[8215]: fatal: PAM: pam_setcred(): Failure setting user credentials /var/log/message ==================================================================================================== Mar 9 15:25:01 mflinux01 systemd: Created slice user-988.slice. Mar 9 15:25:01 mflinux01 systemd: Starting user-988.slice. Mar 9 15:25:01 mflinux01 systemd: Started Session 12 of user pcp. Mar 9 15:25:01 mflinux01 systemd: Starting Session 12 of user pcp. Mar 9 15:25:03 mflinux01 systemd: Removed slice user-988.slice. Mar 9 15:25:03 mflinux01 systemd: Stopping user-988.slice. Mar 9 15:25:09 mflinux01 pam_linotp[8217]: start pam_linotp.py authentication: 1, ['/lib/security/pam_linotp.py', 'nosslhostnameverify', 'nosslcertverify', 'url=https://192.168.0.14/validate/simplecheck', 'realm=MYDOMAIN', 'debug'] Mar 9 15:25:09 mflinux01 pam_linotp[8217]: got no password in authtok - trying through conversation Mar 9 15:25:16 mflinux01 pam_linotp[8217]: got password: 932410 Mar 9 15:25:16 mflinux01 pam_linotp[8217]: calling url https://192.168.0.14/validate/simplecheck {'realm': 'MYDOMAIN', 'user': '[email protected]', 'pass': '932410'} Mar 9 15:25:17 mflinux01 pam_linotp[8217]: :-) Mar 9 15:25:17 mflinux01 pam_linotp[8217]: user successfully authenticated Mar 9 15:25:20 mflinux01 sshd: Please note: pam_linotp does not support setcred
通过在Web上寻找解决scheme,我还设置了/etc/ssh/ssh_config和/etc/ssh/sshd_config添加了ClientAliveInterval 120和ServerAliveInterval 120 ,但是错误依然存在。
考虑到,通过从PAM堆栈中移除auth requisite pam_deny.so ,OTP当然没有被正确validation(它总是正确的),但是在用户名/密码检查之后,SSHvalidation起作用。
你有什么线索解决这个问题?
注意:我环境中的所有Linux机器都是基于CentOS 7的 。
更新:
如下所示,你可以find当前版本的password-auth PAM conf:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
身份validation成功,您可以在:-)看到。 所以显然这是你的剩余堆栈。
如果你说,它是有效的,当你删除帕姆否认,那么你显然有一个问题
auth substack password-auth
[成功= 1默认=忽略]意味着在成功的情况下跳过下一个(1)条目。 因此,在删除pam_deny时,会跳过password-auth条目。 所以看看这个子轨道!
更新:
可能由于线路而失败
auth sufficient pam_sss.so forward_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
OTP没有被sssd和kerberos成功validation。 因此你会碰到pam_deny。