PAM是一種動態認證機制,通過多重認證提升系統安全係數。Google Authenticator是基於TOTPHOTP的2步認證應用,通過移動端的Google Authenticator應用生成token(存活期30秒)。本文記錄利用其為GNU/Linux桌面系統、遠程SSH連接配置2步認證。

Introduction

Google官方關於2-Step Verification的介紹頁見

1
https://www.google.com/landing/2step/

安裝說明見

1
https://support.google.com/accounts/topic/7189195?hl=en

Google認證PAM模塊 google-authenticator-libpam 的代碼託管在GitHub

1
https://github.com/google/google-authenticator-libpam

Preparation

本文操作須滿足以下要求:

  • 運行GNU/Linux系統的主機;
  • 正常訪問Google (中國大陸地區可能無法正常訪問);
  • 移動設備,用於安裝安裝 Google Authenticator APP,具體支持設備見Install Google Authenticator
  • Google Authenticator的源碼包,GitHub地址,採用源碼編譯安裝;

Conventions

相關操作將分別在CentOS 7.3Debian JessieOpenSUSE Leap中進行,通過chrony同步網路時間

OS Kernel SSH
CentOS Linux release 7.3.1611 (Core) 3.10.0-514.2.2.el7.x86_64 OpenSSH_6.6.1p1
Debian GNU/Linux 8 (jessie) 3.16.0-4-amd64 OpenSSH_6.7p1
openSUSE Leap 42.2 4.4.74-18.20-default OpenSSH_7.2p2

執行如下命令安裝SSH的clientserver

1
2
3
4
5
6
7
8
9
# CentOS 7
sudo yum install -y -q openssh-server openssh-clients

# Debian Jessie
sudo apt-get update
sudo apt-get install -yq openssh-client openssh-server openssh-sftp-server

# OpenSUSE
sudo zypper in -yl openssh

定義源碼下載地址/tmp
定義源碼安裝路徑/opt/googleAuthenticator

安裝編譯所需的包

1
2
3
4
5
6
7
8
#CentOS 7.3
sudo yum install -y gcc make autoconf automake libtool pam-devel

#Debian Jessie
sudo apt-get install -y gcc make autoconf automake libtool libpam0g-dev libqrencode3

#OpenSUSE
sudo zypper in -yl gcc make autoconf automake libtool pam-devel

Downloading Source Code

本文採用git下載代碼,git地址為

1
https://github.com/google/google-authenticator-libpam.git

執行如下命令下載代碼

1
2
cd /tmp
git clone https://github.com/google/google-authenticator-libpam.git

下載完成後目錄為/tmp/google-authenticator-libpam

:如果不想使用git下載,可在項目頁點擊Clone or download–>Download ZIP下載壓縮包。關於如何安裝git,可參考本人的「Compile Install And Configure Git On CentOS7」。

Compiling & Installing

安裝目錄為/opt/googleAuthenticator

執行如下命令進行編譯安裝

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#創建安裝目錄
[[ -d '/opt/googleAuthenticator' ]] && sudo rm -rf /opt/googleAuthenticator
sudo mkdir -pv /opt/googleAuthenticator

#切換到libpam目錄下
cd /tmp/google-authenticator-libpam

#執行腳本
./bootstrap.sh

#配置安裝路徑
./configure --prefix=/opt/googleAuthenticator

#並行運行4個任務,構建應用程序
make -j 4

#安裝
sudo make install

If you don’t have access to “sudo”, you have to manually become “root” prior to calling “make install”. – https://github.com/google/google-authenticator-libpam

安裝完成後,出現如下信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Libraries have been installed in:
/opt/googleAuthenticator/lib/security

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,-rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[1]: Leaving directory `/root/google-authenticator-libpam'

庫文件路徑/opt/googleAuthenticator/lib/security有可能顯示爲/opt/googleAuthenticator/lib64/security

稍後配置需要用到的PAM文件pam_google_authenticator.so就存儲在目錄

1
2
3
/opt/googleAuthenticator/lib/security
# or
/opt/googleAuthenticator/lib64/security

目錄/opt/googleAuthenticator下有binliblib64share3個子目錄。

接下來為可執行程序google-authenticator配置PATH路徑、庫文件,執行如下命令

1
2
3
4
5
6
7
8
9
10
11
12
lib_dir=${lib_dir:-'/opt/googleAuthenticator/lib'}
[[ -d '/opt/googleAuthenticator/lib64' ]] && lib_dir='/opt/googleAuthenticator/lib64'
bin_dir=${bin_dir:-'/opt/googleAuthenticator/bin'}

#導出庫文件
sudo bash -c 'echo '"${lib_dir}"' > /etc/ld.so.conf.d/googleAuthenticator.conf'
#讓系統重新生成緩存 Debian中路徑為 /sbin/ldconfig
sudo ldconfig -v

#爲可執行程序添加PATH路徑
sudo bash -c 'echo "export PATH=\$PATH:'"${bin_dir}"'" > /etc/profile.d/googleAuthenticator.sh'
source /etc/profile.d/googleAuthenticator.sh

Running & Configuring Google Authenticator

執行命令

1
google-authenticator

操作過程如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#是否使用基於時間的認證令牌
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:

#生成的二維碼地址
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DQYCY5YLGZJLCXWIUSPJQGVSQSU%26issuer%3Dcentos

#此處是一個二維碼,可直接使用移動端Google Authenticator APP中的`Scan a barcode`掃描識別

#安全碼,在手機端Google Authenticator APP中的`Enter provided key`中用到
Your new secret key is: QYCY5YLGZJLCXWIUSPJQGVSQSU

#認證碼
Your verification code is 795124

#5組緊急備用驗證碼,主要用於當手機遺失後找回正確的認證碼
Your emergency scratch codes are:
64621153
42898735
96729389
90142620
66573383

#是否更新文件 ~/.google_authenticator,該文件默認不存在
Do you want me to update your "/home/flying/.google_authenticator" file? (y/n) y

#是否允許同一認證令牌用於多種用途
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

#基於時間登錄,每個令牌默認的有效時間是30秒,足夠抵消客戶端到服務器之間的時間延遲
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

#單位時間內顯示登錄嘗試的次數,以防暴力破解,默認每30秒內不能超過3次
If the computer that you are logging into isn\'t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

查看文件 ~/.google_authenticator,內容如下

1
2
3
4
5
6
7
8
9
10
QYCY5YLGZJLCXWIUSPJQGVSQSU
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
64621153
42898735
96729389
90142620
66573383

Installing & Configuring Google Authenticator APP

本人手機運行的是Android系統,參考Install Google AuthenticatorAndroid devices部分,在Google play中搜索安裝Google Authenticator APP

安裝成功後,打開該APP,點擊右下十字紅心圓,有兩種添加方式

  • Scan a barcode: 直接掃描上一步操作生成的二維碼即可
  • Enter provided key
    • Enter account name: 可自定義
    • Enter your key: 即上一步操作生成的secret key
    • 默認是Time based,另一選項是Counter based

認證令牌默認每30s更新一次

Configuring PAM

Google官方稱在PAM配置文件中添加auth required pam_google_authenticator.so。——「PAM Module Instructions

關於PAM,可參閱

重要: 以下操作非常重要,請務必要執行。

CentOS 7

在CentOS 7中,PAM的配置文件如下

path explain format
/lib64/security/ 模塊路徑
/etc/pam.conf 通用配置文件 application type control module-path module-arguments
/etc/pam.d/ 專用配置文件 type control module-path module-arguments

auth required pam_google_authenticator.so解釋說明

  • auth: 屬於type中一種{auth|account|passwd|session},表示帳號的認證與授權
  • required: 屬於control中一種{required|requisite|sufficient|optional|include},表示必須檢查通過,否則即爲失敗,且不論成功與否,都須繼續由後續同種功能的其它模塊進行檢查。
  • pam_google_authenticator.so: (重要)其實是相對於目錄/lib64/security/而言的,該模塊當前的絕對路徑是/opt/googleAuthenticator/lib/security/pam_google_authenticator.so;如果使用要相對路徑,則需要爲其創建符號鏈接至目錄/lib64/security/,也可直接使用絕對路徑。

此處通過創建符號鏈接載入該模塊,執行如下命令

1
sudo ln -fs /opt/googleAuthenticator/lib/security/pam_google_authenticator.so /lib64/security/

Debian Jessie

在Debian Jessie中,PAM的配置文件如下

path explain format
/lib/x86_64-linux-gnu/security/ 模塊路徑
/etc/pam.conf 通用配置文件 application type control module-path module-arguments
/etc/pam.d/ 專用配置文件 type control module-path module-arguments

auth required pam_google_authenticator.so解釋說明

  • auth: 屬於type中一種{auth|account|passwd|session},表示帳號的認證與授權
  • required: 屬於control中一種{required|requisite|sufficient|optional|include},表示必須檢查通過,否則即爲失敗,且不論成功與否,都須繼續由後續同種功能的其它模塊進行檢查。
  • pam_google_authenticator.so: (重要)其實是相對於目錄/lib/x86_64-linux-gnu/security/而言的,該模塊當前的絕對路徑是/opt/googleAuthenticator/lib/security/pam_google_authenticator.so;如果使用要相對路徑,則需要爲其創建符號鏈接至目錄/lib/x86_64-linux-gnu/security/,也可直接使用絕對路徑。

此處通過創建符號鏈接載入該模塊,執行如下命令

1
sudo ln -fs /opt/googleAuthenticator/lib/security/pam_google_authenticator.so /lib/x86_64-linux-gnu/security/

OpenSUSE Leap

在OpenSUSE Leap中,PAM的配置文件如下

path explain format
/lib64/security/ 模塊路徑
/etc/pam.d/ 專用配置文件 type control module-path module-arguments

auth required pam_google_authenticator.so解釋說明

  • auth: 屬於type中一種{auth|account|passwd|session},表示帳號的認證與授權
  • required: 屬於control中一種{required|requisite|sufficient|optional|include},表示必須檢查通過,否則即爲失敗,且不論成功與否,都須繼續由後續同種功能的其它模塊進行檢查。
  • pam_google_authenticator.so: (重要)其實是相對於目錄/lib64/security/而言的,該模塊當前的絕對路徑是/opt/googleAuthenticator/lib64/security/pam_google_authenticator.so;如果使用要相對路徑,則需要爲其創建符號鏈接至目錄/lib64/security/,也可直接使用絕對路徑。

此處通過創建符號鏈接載入該模塊,執行如下命令

1
sudo ln -fs /opt/googleAuthenticator/lib64/security/pam_google_authenticator.so /lib64/security/

GNU/Linux Desktop Authentication

使用諸如GNOME Desktop進行桌面登錄,須在文件

1
/etc/pam.d/gdm-password

中進行配置。

CentOS 7

CentOS 7中文件內容格式如下

1
2
3
4
5
6
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
#此行爲添加的規則
auth required pam_google_authenticator.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin

Debian Jessie

Debian Jessie中文件內容格式如下

1
2
3
4
5
6
7
8
#%PAM-1.0
#此行爲添加的規則
auth required pam_google_authenticator.so
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account

OpenSUSE

1
2
3
4
5
6
7
8
#%PAM-1.0
# GDM PAM standard configuration (with passwords)
auth required pam_google_authenticator.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

保存修改後,退出系統重新登入,會提示輸入Verification code,在Google Authenticator APP中查看當前的認證令牌號碼輸入。令牌驗證有效後,提示照常輸入用戶名、密碼。如果令牌驗證不通過,則會報錯,無法登入。

SSH Authentication

sshOpen SSH的Client(客戶端),sshd則是Server(服務器端),常用於連接遠程主機。

配置文件如下

type name configurations
Server sshd /etc/ssh/sshd_config
Client ssh /etc/ssh/ssh_config

sshd在PAM中也有配置文件,路徑/etc/pam.d/sshd

爲SSH配置Google Authenticator,需要使用如下配置文件

  • /etc/pam.d/sshd
  • /etc/ssh/sshd_config

注意:此處默認通過key進行SSH通信,如何生成SSH-Kegen Key,可參考本人Blog SSH Configurations And Usages

操作完成後,須執行如下命令重啟sshd服務使修改生效

1
2
sudo systemctl restart sshd
# sudo systemctl restart sshd.service

以下分情況討論

CentOS7 With SSH Key

此前使用key進行SSH連接

  • /etc/pam.d/sshd
1
2
3
4
5
#%PAM-1.0
auth required pam_sepermit.so
#auth substack password-auth
auth required pam_google_authenticator.so
auth include postlogin

auth substack password-auth行用符號#註釋掉,在其後添加新行

1
auth required pam_google_authenticator.so

因為是用key登錄,註釋password-auth可跳過密碼認證這一步驟。

  • /etc/ssh/sshd_config
1
2
3
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

重要: 因為是用key登錄,請務必添加指令AuthenticationMethods,否則配置不起作用,仍舊是驗證key後直接登錄。

具體操作命令

1
2
3
4
5
6
7
8
9
10
#UsePAM
sudo sed -i '/^UsePAM /d;' /etc/ssh/sshd_config
sudo bash -c 'echo "UsePAM yes" >> /etc/ssh/sshd_config'

#AuthenticationMethods
sudo sed -i '/^AuthenticationMethods /d' /etc/ssh/sshd_config
sudo bash -c 'echo "AuthenticationMethods publickey,password publickey,keyboard-interactive" >> /etc/ssh/sshd_config'

#ChallengeResponseAuthentication
sudo sed -i -r '[email protected](ChallengeResponseAuthentication) [email protected]\1 [email protected]' /etc/ssh/sshd_config

操作完成後,執行如下命令重啟sshd服務

1
sudo systemctl restart sshd

演示示例

1
2
3
4
5
6
7
8
9
10
[email protected]:~$ ssh -C -c blowfish [email protected]
Authenticated with partial success.
Verification code:
Last login: Thu Jan 12 18:34:41 2017 from 192.168.0.179
[[email protected] ~]$ cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[[email protected] ~]$ exit
logout
Connection to 192.168.0.140 closed.
[email protected]:~$

CentOS7 With Password

此前使用密碼進行SSH連接(未執行ssh-copy-id)

  • /etc/pam.d/sshd
1
2
3
4
5
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth required pam_google_authenticator.so
auth include postlogin

auth substack password-auth後添加新行

1
auth required pam_google_authenticator.so

重要: 因是通過密碼進行遠程連接,請務必保證行auth substack password-auth不被註釋,否則只驗證Google Authenticator的token即可登錄,不建議這麼操作。

  • /etc/ssh/sshd_config
    務必保證如下配置為yes
    1
    2
    UsePAM yes
    ChallengeResponseAuthentication yes

具體操作命令

1
2
3
4
5
6
#UsePAM
sudo sed -i '/^UsePAM /d;' /etc/ssh/sshd_config
sudo bash -c 'echo "UsePAM yes" >> /etc/ssh/sshd_config'

#ChallengeResponseAuthentication
sudo sed -i -r '[email protected](ChallengeResponseAuthentication) [email protected]\1 [email protected]' /etc/ssh/sshd_config

操作完成後,執行如下命令重啟sshd服務

1
sudo systemctl restart sshd

演示示例

1
2
3
4
5
6
7
8
9
10
11
12
[email protected]:~$ ssh -C -c blowfish [email protected]
Password:
Verification code:
Last login: Thu Jan 12 18:38:01 2017 from 192.168.0.179
[[email protected] ~]$ cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[[email protected] ~]$ cat .ssh/authorized_keys |wc -l
0
[[email protected] ~]$ exit
logout
Connection to 192.168.0.140 closed.
[email protected]:~$

Debian With SSH Key

此前使用key進行SSH連接

  • /etc/pam.d/sshd

默認文件末尾是

1
2
# Standard Un*x password updating.
@include common-password

需要進行的操作:

  1. 在文件末尾添加auth required pam_google_authenticator.so
  2. 註釋行@include common-auth

最終內容如下

1
2
3
4
5
6
# Standard Un*x authentication.
#@include common-auth

# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so
  • /etc/ssh/sshd_config

確保設置了如下指令

1
2
3
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

重要: 因為是用key登錄,請務必添加指令AuthenticationMethods,否則配置不起作用,仍舊是驗證key後直接登錄。

具體操作命令

1
2
3
4
5
6
7
8
9
10
#UsePAM
sudo sed -i '/^UsePAM /d;' /etc/ssh/sshd_config
sudo bash -c 'echo "UsePAM yes" >> /etc/ssh/sshd_config'

#AuthenticationMethods
sudo sed -i '/^AuthenticationMethods /d' /etc/ssh/sshd_config
sudo bash -c 'echo "AuthenticationMethods publickey,password publickey,keyboard-interactive" >> /etc/ssh/sshd_config'

#ChallengeResponseAuthentication
sudo sed -i -r '[email protected](ChallengeResponseAuthentication) [email protected]\1 [email protected]' /etc/ssh/sshd_config

操作完成後,執行如下命令重啟sshd服務

1
sudo systemctl restart sshd

演示示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[[email protected]lempstacker ~]$ cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[[email protected] ~]$ ssh -C -c aes256-ctr [email protected]
Authenticated with partial success.
Verification code:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms \for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri Jan 13 10:07:01 2017 from 192.168.0.140
[email protected]:~$ sed -n -r '[email protected]*"(.*)"[email protected]\[email protected]' /etc/os-release
Debian GNU/Linux 8 (jessie)
[email protected]:~$ cat .ssh/authorized_keys | wc -l
1
[email protected]:~$ exit
logout
Connection to 192.168.0.179 closed.
[[email protected] ~]$

Debian With Password

此前使用密碼進行SSH連接(未執行ssh-copy-id)

  • /etc/pam.d/sshd

默認文件末尾是

1
2
# Standard Un*x password updating.
@include common-password

在文件末尾添加auth required pam_google_authenticator.so

注意:請勿註釋行@include common-auth@include common-password;如果註釋行@include common-auth,會造成只驗證Google Authenticator的token即可登錄,不建議這麼操作。

最終內容如下

1
2
3
4
5
6
# Standard Un*x authentication.
@include common-auth

# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so
  • /etc/ssh/sshd_config
    確保設置了如下指令
    1
    2
    UsePAM yes
    ChallengeResponseAuthentication yes

注意: 不要設置指令AuthenticationMethods,否則會報錯

Permission denied (publickey).

演示示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[[email protected] ~]$ cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[[email protected] ~]$ ssh -C -c aes256-ctr [email protected]
Password:
Verification code:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms \for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri Jan 13 10:29:11 2017 from 192.168.0.140
[email protected]:~$ sed -n -r '[email protected]*"(.*)"[email protected]\[email protected]' /etc/os-release
Debian GNU/Linux 8 (jessie)
[email protected]:~$ cat .ssh/authorized_keys | wc -l
0
[email protected]:~$ exit
logout
Connection to 192.168.0.179 closed.
[[email protected] ~]$

OpenSUSE With SSH Key

此前使用key進行SSH連接

  • /etc/pam.d/sshd

默認文件內容

1
2
3
4
5
6
7
8
9
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed

需要進行的操作:

  1. 在文件首部添加auth required pam_google_authenticator.so nullok
  2. 註釋行auth include common-auth

最終內容如下

1
2
3
4
5
6
7
8
9
10
#%PAM-1.0
auth required pam_google_authenticator.so nullok
auth requisite pam_nologin.so
#auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
  • /etc/ssh/sshd_config

確保設置了如下指令

1
2
3
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

重要: 因為是用key登錄,請務必添加指令AuthenticationMethods,否則配置不起作用,仍舊是驗證key後直接登錄。

OpenSUSE With Password

此前使用密碼進行SSH連接(未執行ssh-copy-id)

  • /etc/pam.d/sshd

默認文件內容

1
2
3
4
5
6
7
8
9
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed

在文件首部添加auth required pam_google_authenticator.so

注意:請勿註釋行common-authcommon-password;如果註釋行common-auth,會造成只驗證Google Authenticator的token即可登錄,不建議這麼操作。

最終內容如下

1
2
3
4
5
6
7
8
9
10
#%PAM-1.0
auth required pam_google_authenticator.so nullok
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
  • /etc/ssh/sshd_config
    確保設置了如下指令
    1
    2
    UsePAM yes
    ChallengeResponseAuthentication yes

注意: 不要設置指令AuthenticationMethods,否則會報錯

Permission denied (publickey).

Error Occuring

編譯安裝過程中出現的報錯

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#./bootstrap.sh 需要安裝 autoconf
./bootstrap.sh: line 15: exec: autoreconf: not found


#./bootstrap.sh http://ask.xmodulo.com/fix-failed-to-run-aclocal.html 需要安裝 automake
Can\'t exec "aclocal": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 326.
autoreconf: failed to run aclocal: No such file or directory


#./bootstrap.sh 需要安裝 libtool
configure.ac:8: installing 'build/install-sh'
configure.ac:8: installing 'build/missing'
Makefile.am:33: error: Libtool library used but 'LIBTOOL' is undefined
Makefile.am:33: The usual way to define 'LIBTOOL' is to add 'LT_INIT'
Makefile.am:33: to 'configure.ac' and run 'aclocal' and 'autoconf' again.
Makefile.am:33: If 'LT_INIT' is in 'configure.ac', make sure
Makefile.am:33: its definition is in aclocal\'s search path.
Makefile.am: installing 'build/depcomp'
parallel-tests: installing 'build/test-driver'
autoreconf: automake failed with exit status: 1


#./configure 需要安裝 pam-devel
configure: error: Unable to find the PAM library or the PAM header files

References

Bibliography

Change Logs

  • 2016.01.15 21:00 Mon Asia/Beijing
    • 初稿完成
  • 2017.01.12 18:41 Thu Asia/Shanghai
    • 內容重構,增加各種應用場景的具體配置
  • 2017.01.13 10:41 Fri Asis/Shanghai
    • 增加SSH在Debian中的認證配置
  • 2017.07.17 16:45 Mon Asia/Shanghai
    • 添加對OpenSUSE Leap的認證配置