我的Ubuntu 12.04服务器使用google-authenticator pam模块为ssh提供两步validation。 我需要这样做,以便某个IP不需要inputvalidation码。
/etc/pam.d/sshd文件如下:
# PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password auth required pam_google_authenticator.so 我已经尝试添加一个
auth sufficient pam_exec.so /etc/pam.d/ip.sh
在google-authenticator行的上面,但我不明白如何检查bash脚本中的IP地址。
您不能允许或拒绝使用pam_exec进行身份validation。 你应该做的是添加类似的东西
account sufficient pam_access.so
就在google authetnicator的上面,在/etc/security/access.conf
+:ALL:<ip>
帐号密码之前我使用google authenticator。 因此我不能使用pam_access,因为它绕过了帐户密码。 所以我克隆和执行核心白名单function的谷歌authentication。
您可以从https://code.google.com/r/kazimsarikaya-google-authenticatior-withwhitelist/获取。