所以,我想要的是使用 Yubikey 作為第二個因素或唯一的因素登入系統。
我使用 Linux Mint 21.3,我的 Yubikey 是 5C NFC。
我的/etc/pam.d/common-auth:
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_oath.so debug usersfile=/etc/users.oath digits=6 window=0
auth required pam_permit.so
auth required pam_ecryptfs.so unwrap
auth optional pam_cap.so
我新增的唯一一行是第三行,其餘的都在我之前。
Q1:我理解正確嗎,線路順序很重要?
我oathtool產生/將 HEX 秘密轉換為 Base32:
kein@leaf:~$ oathtool -v --hotp -d 6 46362175108032033577
Hex secret: 46362175108032033577
Base32 secret: IY3CC5IQQAZAGNLX
Digits: 6
Window size: 0
Start counter: 0x0 (0)
801904
使用yubikey-manager(1.2.5 AppImage),我將其中一個插槽配置為OATH-HOTP貼上 Base32 金鑰並選擇 6 位數字。
然後我創建/etc/users.oath:(600權限,所有者 - root)
HOTP kein - 46362175108032033577
現在:第一次嘗試成功了:
kein@leaf:~$ sudo echo "YAPPY"
[sudo] password for kein:
[../../pam_oath/pam_oath.c:parse_cfg(123)] called.
[../../pam_oath/pam_oath.c:parse_cfg(124)] flags 32768 argc 4
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[0]=debug
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[1]=usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[2]=digits=6
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[3]=window=0
[../../pam_oath/pam_oath.c:parse_cfg(127)] debug=1
[../../pam_oath/pam_oath.c:parse_cfg(128)] alwaysok=0
[../../pam_oath/pam_oath.c:parse_cfg(129)] try_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(130)] use_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(131)] usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(132)] digits=6
[../../pam_oath/pam_oath.c:parse_cfg(133)] window=0
[../../pam_oath/pam_oath.c:pam_sm_authenticate(275)] get user returned: kein
[../../pam_oath/pam_oath.c:pam_sm_authenticate(283)] usersfile is /etc/users.oath
[../../pam_oath/pam_oath.c:pam_sm_authenticate(293)] authenticate first pass rc -2 (OATH_INVALID_DIGITS: Unsupported number of OTP digits) last otp Sun Jun 30 07:11:28 3357022
One-time password (OATH) for `kein':
[../../pam_oath/pam_oath.c:pam_sm_authenticate(376)] conv returned: 801904
[../../pam_oath/pam_oath.c:pam_sm_authenticate(440)] OTP: 801904
[../../pam_oath/pam_oath.c:pam_sm_authenticate(448)] authenticate rc 0 (OATH_OK: Successful return) last otp Tue Nov 8 02:59:37 4368416
[../../pam_oath/pam_oath.c:pam_sm_authenticate(472)] done. [Success]
YAPPY
但第二次嘗試(另一個終端)失敗:
kein@leaf:~$ sudo echo "YAPPY"
[sudo] password for kein:
[../../pam_oath/pam_oath.c:parse_cfg(123)] called.
[../../pam_oath/pam_oath.c:parse_cfg(124)] flags 32768 argc 4
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[0]=debug
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[1]=usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[2]=digits=6
[../../pam_oath/pam_oath.c:parse_cfg(126)] argv[3]=window=0
[../../pam_oath/pam_oath.c:parse_cfg(127)] debug=1
[../../pam_oath/pam_oath.c:parse_cfg(128)] alwaysok=0
[../../pam_oath/pam_oath.c:parse_cfg(129)] try_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(130)] use_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(131)] usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(132)] digits=6
[../../pam_oath/pam_oath.c:parse_cfg(133)] window=0
[../../pam_oath/pam_oath.c:pam_sm_authenticate(275)] get user returned: kein
[../../pam_oath/pam_oath.c:pam_sm_authenticate(283)] usersfile is /etc/users.oath
[../../pam_oath/pam_oath.c:pam_sm_authenticate(293)] authenticate first pass rc -2 (OATH_INVALID_DIGITS: Unsupported number of OTP digits) last otp Sun Mar 24 18:24:03 2024
One-time password (OATH) for `kein':
[../../pam_oath/pam_oath.c:pam_sm_authenticate(376)] conv returned: 118838
[../../pam_oath/pam_oath.c:pam_sm_authenticate(440)] OTP: 118838
[../../pam_oath/pam_oath.c:pam_sm_authenticate(448)] authenticate rc -6 (OATH_INVALID_OTP: The OTP is not valid) last otp Sun Mar 24 18:24:03 2024
[../../pam_oath/pam_oath.c:pam_sm_authenticate(455)] One-time password not authorized to login as user 'kein'
[../../pam_oath/pam_oath.c:pam_sm_authenticate(472)] done. [Authentication failure]
Sorry, try again.
[sudo] password for kein:
畢竟/etc/users.oath包含:HOTP kein - 46362175108032033577 0 801904 2024-03-24T18:24:03L
2Q:為什麼第二次(及後續)嘗試失敗?怎麼了?
3Q: 為什麼OATH_INVALID_DIGITS: Unsupported number of OTP digits?