所以我有这个漂亮的小 yubikey,我想在验证 ssh 会话时添加一个额外的安全层。在服务器端,我已经禁用了密码验证,并且只允许在登录时使用 ssh 密钥。
问题是,在为 yubikey auth 配置 sshd 和 PAM 之后,sshd 仍然只需要一个 ssh 密钥,我从未被要求提供来自 yubikey 的响应。
我如何同时需要ssh 密钥和yubikey?
(ubuntu 14.04 - trusty)
/etc/pam.d/common-auth:
auth required pam_yubico.so mode=client try_first_pass id=<id> key=<secret>
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
/etc/ssh/sshd_config:
...
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
好的,我坚持了下来,我想我已经想出了一个合理的解决方案。我以前缺少的主要内容是 sshd 的AuthenticationMethods publickey,password. 这强制要求同时提供公钥和密码——“密码”现在由PAM->auth-yubi. 还需要进行其他更改,请参见下文:
(Ubuntu 14.04 - 值得信赖):
auth required pam_yubico.so mode=client try_first_pass id=<id> key=<key>
注意:您可以在此处获取您的访问 ID 和密钥
# Standard Un*x authentication.
#@include common-auth
# Yubikey auth
@include yubi-auth
UsePAM yes
ChallengeResponseAuthentication no
AuthenticationMethods publickey,password
PasswordAuthentication yes
service ssh restart
root@0a6442bcb21c:/# ssh ben@192.168.1.20
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
ECDSA key fingerprint is ea:2a:e3:98:35:72:66:b1:e0:65:6b:3f:60:8a:af:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.20' (ECDSA) to the list of known hosts.
Permission denied (publickey).
$ ssh ben@192.168.1.20
Authenticated with partial success.
ben@192.168.1.20's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64)
很高兴在验证时从远程 ssh 服务器看到“Yubikey Auth:”而不是“password:”。
当ssh服务器无法联系yubico的auth验证系统时会发生什么?理想的解决方案是完全独立的。
意见和建议表示赞赏。