服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 使用RADIUS + Google身份validation器进行SSH身份validation
Intereting Posts
HP Laserjet“维修间隔”与“定影器寿命” 无法在haproxy上绑定端口 为什么ec2-consistent-snapshot不能find我的AWS证书/密钥? Windows Server 2008 R2共享文件夹存储的文件名长度限制 有可能有一个既可互操作又安全的电子邮件服务器? 脚本向导中缺less数据库表 在Cisco 3750的一个干线端口上的Portfast SSDs + RAID5 +数据库=失败? configurationNGINX GZip字体文件? (不同的目录不同的gzip_types) 有关Microsoft Windows恶意软件删除工具(MRT)的一些问题 如何在ubuntu中启动bash shell – 改变目录,打开制表符,运行命令 是否有可能获得安装微软软件和序列号? 如何获得正在侦听特定的端口在Linux的套接字? 我可以删除/ tmp目录中的CGI ***** – *文件吗? 从PXE服务器启动FreeBSD ISO

使用RADIUS + Google身份validation器进行SSH身份validation

我正在尝试configuration我的SSHD来使用FreeRadiusvalidation用户。 FreeRadius服务器首先需要使用Google Authenticator的有效OTP,然后validation系统帐户密码。

如果我将Radius服务器设置为使用Google Authenticator,则可以使其工作,但是当我添加询问系统帐户密码的额外步骤时,Google Authenticator令牌每次都会失败。 我认为我的问题是我的PAMconfiguration,但我没有看到我在做什么错了。

我将调用服务器运行SSHD“客户端”服务器和FreeRadius服务器“半径”服务器。

这是我的客户端:/etc/pam.d/sshd 

#%PAM-1.0 auth required pam_sepermit.so auth required pam_radius_auth.so debug prompt=token #auth include password-auth auth include postlogin account required pam_nologin.so account include password-auth account sufficient pam_radius_auth.so password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin

我还在客户端启用了质询/响应身份validation:/ etc / ssh / sshd_config中的行: 

 ChallengeResponseAuthentication yes

这是我的/etc/pam.d/radiusd在radius服务器上的configuration: 

 #%PAM-1.0 auth requisite pam_google_authenticator.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session include password-auth #@include common-auth #@include common-account #@include common-password #@include common-session

正因如此,您可以按照链接,以下是radius服务器上的/etc/pam.d/password-auth文件: 

 #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so

这种方式的工作原理是,客户端服务器只需要radius服务器接受login,但radius服务器需要使用带有GoogleAuthenticator的OTP和本地pam_unix密码才能接受。 这就是我要的。

奇怪的是,当我在radius服务器/etc/pam.d/radiusd文件中注释掉以下行: 

 auth include password-auth

然后我可以login到客户端服务器,它会提示我input我的GoogleAuthenticator令牌。 一切工作,当我这样做。 从我的手机得到的OTP被接受,请求被发送到半径,它返回到客户端服务器,并让我进入。

但是,如果对上述行进行取消注释,系统会要求我提供GoogleAuthenticator令牌,每次input时都会失败。 奇怪的是,它要求我的OTP令牌4次,然后问我的系统帐户密码,然后说失败。 任何人都可以帮助我得到这个工作?

当我尝试使用GoogleAuthenticator标记和unix密码时,以下是我的“radiusd -X”输出: 

 Received Access-Request Id 112 from client:48253 to radius:1812 length 94 User-Name = 'bob' User-Password = '146963' NAS-IP-Address = client NAS-Identifier = 'sshd' NAS-Port = 9148 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 'xxx.xxx.xxx.xxx' (0) Received Access-Request packet from host 192.168.20.51 port 48253, id=112, length=94 (0) User-Name = 'bob' (0) User-Password = '146963' (0) NAS-IP-Address = xxx.xxx.xxx.xxx (0) NAS-Identifier = 'sshd' (0) NAS-Port = 9148 (0) NAS-Port-Type = Virtual (0) Service-Type = Authenticate-Only (0) Calling-Station-Id = 'xxx.xxx.xxx.xxx' (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = “bob”, looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) files : users: Matched entry DEFAULT at line 198 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = PAM (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for <bob>. Reason: Authentication failure (0) [pam] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> bob (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host xxx.xxx.xxx.xxx port 48253, id=112, length=0 Sending Access-Reject Id 112 from xxx.xxx.xxx.xxx:1812 to xxx.xxx.xxx.xxx:48253 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 112 with timestamp +20 Ready to process requests Received Access-Request Id 81 from xxx.xxx.xxx.xxx:45486 to xxx.xxx.xxx.xxx:1812 length 94 User-Name = 'bob' User-Password = '146963' NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Identifier = 'sshd' NAS-Port = 9149 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 'xxx.xxx.xxx.xxx'

我想到了。 问题出在/etc/pam.d/password-auth文件的PAM堆栈中。 具体来说这一行: 

 auth sufficient pam_unix.so nullok try_first_pass

发生了什么事情是google-authenticator的标记被接受了,但是由于“try_first_pass”选项,pam_unix.so试图使用该代码作为系统密码。 我不知道为什么,但这导致整个authentication链重新开始,要求google-auth密码。

摆脱“try_first_pass”选项解决了这个问题,并给我所需的行为。