CentOS 7 SSH和2FA(ESET安全authentication)

我坚持要在CentOS 7中获得两个因素authentication; 特别是通过SSH和OTP进行身份validation。

如果有人能帮助我,我将非常感激。 🙂

编辑:据我所知,从下面的日志,pam模块要求RADIUS服务器进行身份validation,服务器响应与代码11,以便pam模块质询用户的OTP,而是模块只是说“身份validation失败” 。 所以客户应该是这个问题吧?

这里是一个通过SSH帐号“[email protected]”login的日志:

sshd[3652]: pam_radius_auth: Got user name [email protected] sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set sshd[3652]: pam_radius_auth: Sending RADIUS request code 1 sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0. sshd[3652]: pam_radius_auth: Got RADIUS response code 11 sshd[3652]: pam_radius_auth: authentication failed sshd[3652]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1 sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 [email protected] sshd[3652]: Failed password for [email protected] from 10.0.0.31 port 57962 ssh2 sshd[3652]: Connection closed by 10.0.0.31 [preauth] 

以下按照configuration和设置信息

testing环境由我公司的基础设施提供; 我们主要使用Windows客户端和大约相同的Windows和Linux服务器。

Win-Server: Windows Server 2016 x64

  • 活动目录:Test.local
  • ESET安全authentication(RADIUS服务器)
    • 与客户共享的秘密:test345
    • 选项“使用RADIUS的访问挑战function”已启用

Linux-Client / Server: CentOS 7.3 x64

  • 通过领域join了Domain Test.local
  • 在任何时候都可以使用AD帐户和OTP-2FA进行本地login
  • 如果在/etc/pam.d/sshd(这意味着没有2FA)中没有将pam_radius_auth.so设置为required,则只能使用任何帐户login。

Linux客户端/服务器的configuration:

  • RADIUS-Server和Shared-Secret被添加到/ etc / raddb / server中
  • pam_radius_auth.so位于/ usr / lib64 / security /
  • auth需要将pam_radius_auth.so添加到/etc/pam.d/sshd和/etc/pam.d/login

/etc/pam.d/login文件

 #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth auth include postlogin auth sufficient pam_radius_auth.so account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so 

上将/etc/pam.d/sshd

 #%PAM-1.0 auth required pam_radius_auth.so debug auth required pam_sepermit.so debug auth substack password-auth debug auth include postlogin debug # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare 

在/ etc / raddb /服务器

 # server[:port] shared_secret timeout (s) 10.0.0.1 test345 5 

我已经设法自己解决这个问题。

显然唯一要改变的是/etc/pam.d/sshd的pam-modules的顺序。

auth sufficient pam_radius_auth.soauth sufficient pam_radius_auth.so必须低于pam_sepermit.so和以上password-auth

实际上/etc/pam.d/login中的模块顺序也不正确。

那里的线auth sufficient pam_radius_auth.so应该在pam_securetty.so和以上system-auth

所以这就是现在文件的外观:

/etc/pam.d/login文件

 #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth sufficient pam_radius_auth.so auth substack system-auth auth include postlogin # auth sufficient pam_radius_auth.so account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so 

上将/etc/pam.d/sshd

 #%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_radius_auth.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare