我從一位已故同事那裡繼承了一個系統。他在系統上設定了兩因素身份驗證(使用者root和除外) ftpupload。
但是,有一個特定的使用者俱有 SSH 存取權限,但不需要兩個因素身份驗證。該用戶只需使用用戶名和密碼即可登入!
我注意到他設定群組中的任何使用者disable2fa都需要兩因素身份驗證。我只看到該群組中的以下用戶:
$ getent group disable2fa
disable2fa:x:2003:root,publicftpupload
我檢查了 PAM 檔案 ( sudo nano /etc/pam.d/sshd),看到以下內容:
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
auth [success=done default=ignore] pam_succeed_if.so user ingroup disable2fa
auth required pam_google_authenticator.so nullok
還有其他地方需要我檢查嗎?有人可以幫忙嗎?謝謝!
答案1
這就是這一行的作用:
auth [success=done default=ignore] pam_succeed_if.so user ingroup disable2fa
ok
this tells PAM that the administrator thinks this return code should contribute
directly to the return code of the full stack of modules. In other words, if the
former state of the stack would lead to a return of PAM_SUCCESS, the module's return
code will override this value. Note, if the former state of the stack holds some value
that is indicative of a modules failure, this 'ok' value will not be used to override
that value.
done
equivalent to ok with the side effect of terminating the module stack and PAM
immediately returning to the application.
本質上success=done意味著如果這個模組成功了,就不需要再檢查什麼了,所以pam_google_authenticator.so如果這個模組成功了,後面的就被跳過,這個模組只檢查是否使用者是群組disable2fa:
user ingroup group
User is in given group.
答案2
您可以取消配置 PAM 設定檔中的「user ingroup disable2fa」行,並將其替換為以下中記錄的設定:
這樣,只有配置了 Google 驗證器令牌(~/.google_authenticator 檔案)的使用者才會被要求提供驗證碼。 「使用者群組內」設定對我來說是一個問號,直到我在文件中找到 nullok 參數。
它就像一個魅力!