CentOS 7 通过 pam_oath 配置为 2FA SSH 访问 - 一次性密码允许任何字符串 6 个字符或更少

CentOS 7 configured for 2FA SSH access via pam_oath - allows any string 6 characters or less for one-time password

所以我一直在阅读如何为 SSH 配置 CentOS 7 机器进行双因素身份验证,使用 pam_oath 和 FreeOTP phone 应用程序,加上本地 usernames/password两个因素。我阅读了各种在线文章,似乎都遵循以下文章中列出的基本说明:

https://wiki.archlinux.org/index.php/Pam_oath

https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/

https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/

在我的主要 CentOS 机器上执行此操作之前,我启动了一个 VirtualBox VM 进行测试,并至少安装了 CentOS 7。我按照说明进行操作,系统提示我输入 "One-time password (OATH)" 凭据,但我注意到我可以输入 任何 字母数字字符串,该字符串不超过 6 个字符作为 OATH 密码,它将然后提示我输入本地 username/password。只要我正确输入本地密码,我就获得了 shell 访问权限。

以下是我在初始最小化 CentOS 7 安装(CentOS Linux 版本 7.7.1908(核心版))后遵循的步骤:

  1. 安装包
yum update && yum upgrade

yum install epel-release

yum install pam_oath oathtool gen-oath-safe
  1. 编辑 /etc/pam.d/sshd,并添加以下行作为第一个非注释行:

auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6

所以 /etc/pam.d/sshd 的前几行看起来像这样:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions

之后:

#%PAM-1.0
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
  1. 为我的本地帐户生成密钥:

gen-oath-safe jdoe hotp

  1. 通过 QR 码将密钥添加到 phone 上的 FreeOTP 应用

  2. 将十六进制代码添加到/etc/liboath/users.oath:

HOTP jdoe - REDACTED

  1. 编辑 /etc/ssh/sshd_config 文件并确保以下设置到位:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
  1. 在 /etc/liboath:
  2. 上设置 SELinux 权限
semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
restorecon -rv /etc/liboath/
  1. 重新启动 SSH:

systemctl restart sshd

因此,当我通过 SSH 连接到此主机并输入任何不超过 6 个字符的字符串时,我可以使用本地密码登录:

login as: jdoe
Keyboard-interactive authentication prompts from server:
 One-time password (OATH) for `jdoe':
 Password:
End of keyboard-interactive prompts from server
Last login: Sun Mar 22 18:03:08 2020 from REDACTED
[jdoe@pkcentos7 ~]

如果我为 OATH 密码输入 7 个或更多字符的字符串,则会发生以下情况:

login as: jdoe
Keyboard-interactive authentication prompts from server:
 One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
 One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
 One-time password (OATH) for `jdoe':

我浏览了 Google 搜索返回的各种其他文章,但我没有清楚地看到我缺少的步骤或设置。

如有任何帮助,我们将不胜感激。在此先感谢,如果需要任何其他信息,请告诉我。

保罗

将 pam 模块控制从 sufficient 更改为 [success=done new_authtok_reqd=done default=die]

我的 pam 行看起来像:

auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath

sshd_config:

PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam 
UsePAM yes
ChallengeResponseAuthentication yes

感谢您的回复!通过查看您的 sshd_config 文件,我假设您在系统上使用 public 密钥作为 2FA 的一部分。所以我调整了上面的内容以在我的测试系统上工作:

1) /etc/pam.d/sshd

auth [success=ok new_authtok_reqd=ok default=die]  pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6

2) /etc/sshd/sshd_config

PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive:pam

这是此更改后 SSH 登录过程的输出,其中我:

1) 故意输入错误的一次性密码

2) 一次性输入正确,账号密码错误

3) 修改一次性密码,再修改账号密码

login as: jdoe
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Last failed login: Thu Apr 16 10:55:39 EDT 2020 from REDACTED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Apr 16 10:54:59 2020 from REDACTED
[jdoe@pkcentos7 ~]$