我坚持在CentOS 7中使用两个因子认证来工作;特别是通过SSH和OTP进行身份验证 .

如果有人可以帮助我,我将非常感激 . :)

以下是尝试使用帐户“ws-admin@test.local”通过SSH登录的日志:

sshd[3652]: pam_radius_auth: Got user name ws-admin@test.local
sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set
sshd[3652]: pam_radius_auth: Sending RADIUS request code 1
sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0.
sshd[3652]: pam_radius_auth: Got RADIUS response code 11
sshd[3652]: pam_radius_auth: authentication failed
sshd[3652]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf
sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match
sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1
sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 user=ws-admin@test.local
sshd[3652]: Failed password for ws-admin@test.local from 10.0.0.31 port 57962 ssh2
sshd[3652]: Connection closed by 10.0.0.31 [preauth]

Below follow Configuration- and Setup-Infos

测试环境由我公司的基础设施提供;我们主要使用Windows客户端和Windows和Linux服务器的相同份额 .

Win-Server :Windows Server 2016 x64

  • Active Directory:Test.local

  • ESET安全认证( RADIUS Server

  • 与客户共享秘密:test345

  • 选项"Use Access-Challenge feature of RADIUS"已启用

Linux-Client/Server :CentOS 7 x64

  • 通过 realm 加入Domain Test.local

  • 随时可以使用AD-Accounts和OTP-2FA进行本地登录

  • 只有 /etc/pam.d/sshd 未在 /etc/pam.d/sshd 中设置 required (这意味着没有2FA),才可以使用任何帐户登录

Linux-Client / Server的 Configuration

  • /etc/raddb/server 中添加了RADIUS-Server和Shared-Secret

  • pam_radius_auth.so/usr/lib64/security/

  • auth required pam_radius_auth.so 已添加至 /etc/pam.d/sshd/etc/pam.d/login

/etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
auth       sufficient   pam_radius_auth.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

/etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_radius_auth.so    debug
auth       required pam_sepermit.so      debug
auth       substack     password-auth      debug
auth       include      postlogin     debug
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

/etc/raddb/server

# server[:port] shared_secret      timeout (s)
10.0.0.1        test345            5
linux authentication ssh centos two-factor-authentication