CentOS 7 通过 pam_oath 配置为 2FA SSH 访问 - 一次性密码允许任何字符串 6 个字符或更少
CentOS 7 configured for 2FA SSH access via pam_oath - allows any string 6 characters or less for one-time password
所以我一直在阅读如何为 SSH 配置 CentOS 7 机器进行双因素身份验证,使用 pam_oath 和 FreeOTP phone 应用程序,加上本地 usernames/password两个因素。我阅读了各种在线文章,似乎都遵循以下文章中列出的基本说明:
https://wiki.archlinux.org/index.php/Pam_oath
https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/
https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/
在我的主要 CentOS 机器上执行此操作之前,我启动了一个 VirtualBox VM 进行测试,并至少安装了 CentOS 7。我按照说明进行操作,系统提示我输入 "One-time password (OATH)" 凭据,但我注意到我可以输入 任何 字母数字字符串,该字符串不超过 6 个字符作为 OATH 密码,它将然后提示我输入本地 username/password。只要我正确输入本地密码,我就获得了 shell 访问权限。
以下是我在初始最小化 CentOS 7 安装(CentOS Linux 版本 7.7.1908(核心版))后遵循的步骤:
- 安装包
yum update && yum upgrade
yum install epel-release
yum install pam_oath oathtool gen-oath-safe
- 编辑 /etc/pam.d/sshd,并添加以下行作为第一个非注释行:
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
所以 /etc/pam.d/sshd 的前几行看起来像这样:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
之后:
#%PAM-1.0
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
- 为我的本地帐户生成密钥:
gen-oath-safe jdoe hotp
通过 QR 码将密钥添加到 phone 上的 FreeOTP 应用
将十六进制代码添加到/etc/liboath/users.oath:
HOTP jdoe - REDACTED
- 编辑 /etc/ssh/sshd_config 文件并确保以下设置到位:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
- 在 /etc/liboath:
上设置 SELinux 权限
semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
restorecon -rv /etc/liboath/
- 重新启动 SSH:
systemctl restart sshd
因此,当我通过 SSH 连接到此主机并输入任何不超过 6 个字符的字符串时,我可以使用本地密码登录:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
Password:
End of keyboard-interactive prompts from server
Last login: Sun Mar 22 18:03:08 2020 from REDACTED
[jdoe@pkcentos7 ~]
如果我为 OATH 密码输入 7 个或更多字符的字符串,则会发生以下情况:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
我浏览了 Google 搜索返回的各种其他文章,但我没有清楚地看到我缺少的步骤或设置。
如有任何帮助,我们将不胜感激。在此先感谢,如果需要任何其他信息,请告诉我。
保罗
将 pam 模块控制从 sufficient 更改为 [success=done new_authtok_reqd=done default=die]
我的 pam 行看起来像:
auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath
sshd_config:
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
ChallengeResponseAuthentication yes
感谢您的回复!通过查看您的 sshd_config 文件,我假设您在系统上使用 public 密钥作为 2FA 的一部分。所以我调整了上面的内容以在我的测试系统上工作:
1) /etc/pam.d/sshd
auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
2) /etc/sshd/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive:pam
这是此更改后 SSH 登录过程的输出,其中我:
1) 故意输入错误的一次性密码
2) 一次性输入正确,账号密码错误
3) 修改一次性密码,再修改账号密码
login as: jdoe
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Last failed login: Thu Apr 16 10:55:39 EDT 2020 from REDACTED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Apr 16 10:54:59 2020 from REDACTED
[jdoe@pkcentos7 ~]$
所以我一直在阅读如何为 SSH 配置 CentOS 7 机器进行双因素身份验证,使用 pam_oath 和 FreeOTP phone 应用程序,加上本地 usernames/password两个因素。我阅读了各种在线文章,似乎都遵循以下文章中列出的基本说明:
https://wiki.archlinux.org/index.php/Pam_oath
https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/
https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/
在我的主要 CentOS 机器上执行此操作之前,我启动了一个 VirtualBox VM 进行测试,并至少安装了 CentOS 7。我按照说明进行操作,系统提示我输入 "One-time password (OATH)" 凭据,但我注意到我可以输入 任何 字母数字字符串,该字符串不超过 6 个字符作为 OATH 密码,它将然后提示我输入本地 username/password。只要我正确输入本地密码,我就获得了 shell 访问权限。
以下是我在初始最小化 CentOS 7 安装(CentOS Linux 版本 7.7.1908(核心版))后遵循的步骤:
- 安装包
yum update && yum upgrade
yum install epel-release
yum install pam_oath oathtool gen-oath-safe
- 编辑 /etc/pam.d/sshd,并添加以下行作为第一个非注释行:
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
所以 /etc/pam.d/sshd 的前几行看起来像这样:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
之后:
#%PAM-1.0
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
- 为我的本地帐户生成密钥:
gen-oath-safe jdoe hotp
通过 QR 码将密钥添加到 phone 上的 FreeOTP 应用
将十六进制代码添加到/etc/liboath/users.oath:
HOTP jdoe - REDACTED
- 编辑 /etc/ssh/sshd_config 文件并确保以下设置到位:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
- 在 /etc/liboath: 上设置 SELinux 权限
semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
restorecon -rv /etc/liboath/
- 重新启动 SSH:
systemctl restart sshd
因此,当我通过 SSH 连接到此主机并输入任何不超过 6 个字符的字符串时,我可以使用本地密码登录:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
Password:
End of keyboard-interactive prompts from server
Last login: Sun Mar 22 18:03:08 2020 from REDACTED
[jdoe@pkcentos7 ~]
如果我为 OATH 密码输入 7 个或更多字符的字符串,则会发生以下情况:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
我浏览了 Google 搜索返回的各种其他文章,但我没有清楚地看到我缺少的步骤或设置。
如有任何帮助,我们将不胜感激。在此先感谢,如果需要任何其他信息,请告诉我。
保罗
将 pam 模块控制从 sufficient 更改为 [success=done new_authtok_reqd=done default=die]
我的 pam 行看起来像:
auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath
sshd_config:
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
ChallengeResponseAuthentication yes
感谢您的回复!通过查看您的 sshd_config 文件,我假设您在系统上使用 public 密钥作为 2FA 的一部分。所以我调整了上面的内容以在我的测试系统上工作:
1) /etc/pam.d/sshd
auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
2) /etc/sshd/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive:pam
这是此更改后 SSH 登录过程的输出,其中我:
1) 故意输入错误的一次性密码
2) 一次性输入正确,账号密码错误
3) 修改一次性密码,再修改账号密码
login as: jdoe
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Last failed login: Thu Apr 16 10:55:39 EDT 2020 from REDACTED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Apr 16 10:54:59 2020 from REDACTED
[jdoe@pkcentos7 ~]$