Ssh
在同一本地網路上幫助繞過 SSH 2 因素身份驗證 macOS
由於我需要使用一些不同的應用程序,當 SSH 連接來自同一網路時,我需要能夠繞過 Google 的 2 Factor Authentication pam.d 模組。網上關於這個的資訊很少,但是Stack Network上有幾個問題,但沒有一個解決方案對我有用。我不確定是因為這些解決方案是專門針對 Linux 的,還是我只是遺漏了一些東西。我在這裡的所有情況下都使用 macOS。
我對這些設置不是很熟悉。如果我不在同一個本地網路上,我確實需要密碼、密鑰和 2FA,但如果我在同一個本地網路上,則跳過 2FA
目前設置:
SSH 需要有效的密鑰、密碼和 2 Factor Auth
文件內容:
/etc/pam.d/sshd
auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass auth required pam_google_authenticator.so nullok account required pam_nologin.so account required pam_sacl.so sacl_service=ssh account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session optional pam_mount.so/etc/ssh/ssh_config
# Host * # ForwardAgent no # ForwardX11 no # PasswordAuthentication yes # HostbasedAuthentication no GSSAPIAuthentication yes GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_ecdsa # IdentityFile ~/.ssh/id_ed25519 # Port 22 # Protocol 2 # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h Host * SendEnv LANG LC_*/etc/ssh/sshd_config
#Protocol Version Protocol 2 #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes MaxAuthTries 3 #MaxSessions 10 PubkeyAuthentication yes AuthenticationMethods publickey,keyboard-interactive:pam # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication yes # Kerberos options KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed ClientAliveInterval 360 ClientAliveCountMax 0 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # pass locale information AcceptEnv LANG LC_* # no default banner path Banner /etc/ssh/banner # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server編輯:
我在下面列出的連結中嘗試了對 Stack 文章列出的解決方案的幾種不同組合,但我無法使提供的解決方案正常工作。我不知道我的配置中是否缺少某些內容,或者是否與我使用 macOS 有關,或者我的 sshd 文件中 pam.d 中列出的內容的順序是否不正確。
SSH - 只需要來自外部本地網路的 google-authenticator
https://serverfault.com/questions/799657/ssh-google-authenticator-ignore-whitelist-ips
我試圖將其添加到 pam.d 中的 sshd 文件中:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf auth sufficient pam_google_authenticator.so並將 access.conf 文件添加到 /etc/security/access.conf:
+ : ALL : 10.0.1.0/24 + : ALL : LOCAL + : ALL : 10.0.1.4 + : ALL : 10.0.1.6 + : ALL : 10.0.1.16 + : ALL : 10.0.1.20 - : ALL : ALL
我在我的 Mac 上使用它:
/etc/pam.d/sshd# sshd: auth account password session auth binding /usr/local/opt/google-authenticator-libpam/lib/security/pam_google_authenticator.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass account required pam_nologin.so account required pam_sacl.so sacl_service=ssh account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session optional pam_mount.so
/etc/ssh/sshd_configLogLevel VERBOSE PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no AuthenticationMethods publickey,keyboard-interactive:pam ChallengeResponseAuthentication yes UsePAM yes AcceptEnv LANG LC_* Subsystem sftp /usr/libexec/sftp-server Match Address fc00::/7,10.0.1.0/24 PasswordAuthentication no AuthenticationMethods publickey這樣,只有來自本地網路外部的連接才需要提供 2fa,本地連接僅基於 Pubkey。