【MultiOTP】在Linux上使用MultiOTP进行SSH登录

KnightYangHJ2023-10-18 9:02

在前面的文章中【FreeRADIUS】使用FreeRADIUS进行SSH身份验证已经了解过如何通过Radius去来实现SSH和SUDO的登录,在接下来的文章中只是将密码从【LDAP PASSWORD + Googlt OTP】改成了【MultiOTP】生成的passcode,不在需要密码,只需要OTP去登录。这样再也不用担心密码忘记了。

拓扑图

前提条件:

  1. 一台提供RADIUS服务的MultiOTP服务器,如何配置可参考【MultiOTP】Docker安裝MultiOTP, 让Windows登入更安全(MFA)
  2. 一台客户端【Ubuntu 22.04】,sudo权限的用户
  3. 两台设备之间可以互通

实施:

0. 在MultiOTP服务器上修改clients.conf定义哪些设备被允许连接到RADIUS服务器

bash 复制代码 
root@multiotp-Virtual-Machine:/home/ud# cat  /multiotp/freeradius/config/3.0/clients.conf
# -*- text -*-
##
## clients.conf -- client configuration directives
##

... ...

client 0.0.0.0/0  { # multiotp my-first-network
secret = myfirstpass # multiotp my-first-network
shortname = my-first-network # multiotp my-first-network
} # multiotp my-first-network
# multiotp my-first-network END

1. 安装必要的软件包,以便客户端可以通过以下命令与FreeRADIUS进行交互

bash 复制代码 
apt-get install libpam-radius-auth freeradius-utils -y
root@ud-Virtual-Machine:/home/ud# apt-get install libpam-radius-auth freeradius-utils -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
freeradius-utils is already the newest version (3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1).
The following NEW packages will be installed:
  libpam-radius-auth
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 25.4 kB of archives.
After this operation, 84.0 kB of additional disk space will be used.
Get:1 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 libpam-radius-auth amd64 2.0.0-1 [25.4 kB]
Fetched 25.4 kB in 8s (3,342 B/s)
Selecting previously unselected package libpam-radius-auth.
(Reading database ... 182939 files and directories currently installed.)
Preparing to unpack .../libpam-radius-auth_2.0.0-1_amd64.deb ...
Unpacking libpam-radius-auth (2.0.0-1) ...
Setting up libpam-radius-auth (2.0.0-1) ...

2. 修改配置文件

i. 编辑/etc/pam_radius_auth.conf文件,并注释掉默认的4行。然后添加一行,指定RADIUS服务器的IP地址和共享密钥。

bash 复制代码 
root@ud-Virtual-Machine:/home/ud# cat /etc/pam_radius_auth.conf
#  pam_radius_auth configuration file.  Copy to: /etc/raddb/server
#
......
#  Note: specifying a source_ip field is mandatory due to config parsing,
#  but if not needed it can be just set to 0.
#
# server[:port]             shared_secret      timeout (s)  source_ip            vrf
#127.0.0.1                   secret             3
#other-server                other-secret       5            192.168.1.10         vrf-blue
#[2001:0db8:85a3::4]:1812    other6-secret      3            [2001:0db8:85a3::3]  vrf-red
#other-other-server          other-other-secret 5            0                    vrf-blue
10.2.112.4:1812              myfirstpass         30
#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.

ii. 编辑/etc/ssh/sshd_config文件,启用ssh服务中的PAM认证。

bash 复制代码 
root@ud-Virtual-Machine:/home/ud# cat /etc/ssh/sshd_config

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
......
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
ChallengeResponseAuthentication yes
#PermitEmptyPasswords no
......
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
......

iii. 编辑/etc/pam.d/sshd文件,启用带有Radius的PAM模块。

bash 复制代码 
root@ud-Virtual-Machine:/home/ud# cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

#Radius authentication
auth sufficient pam_radius_auth.so
......
root@ud-Virtual-Machine:/home/ud#

3. 重启SSHD服务

bash 复制代码 
service ssh restart

4. 添加本地账户

bash 复制代码 
root@ud-Virtual-Machine:/home/ud# adduser knightyang --disabled-password --quiet --gecos ""

sudo同时也需要使用MultiOTP认证的话需要修改以下:

1. 编辑/etc/pam.d/sudo文件,启用带有Radius的PAM模块

bash 复制代码 
root@ud-Virtual-Machine:/home/ud# cat /etc/pam.d/sudo
#%PAM-1.0

auth sufficient pam_radius_auth.so

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

@include common-auth
@include common-account
@include common-session-noninteractive
root@ud-Virtual-Machine:/home/ud#

2. 给用户添加sudo权限

bash 复制代码 
root@ud-Virtual-Machine:sudo usermod -aG sudo knightyang
相关推荐
吴声子夜歌1 小时前
TypeScript——基础类型(三)
java·linux·typescript
DA02212 小时前
系统移植-STM32MP1启动详解(BootROM)
linux·bsp·系统移植
春日见2 小时前
自驾算法的日常工作?如何提升模型性能?
linux·人工智能·机器学习·计算机视觉·自动驾驶
李彦亮老师(本人)2 小时前
【Linux系统】Rocky Linux 9.7操作系统简介
linux·运维·服务器·docker·kubernetes
minji...2 小时前
Linux 进程信号(二)信号的保存,sigset_t,sigprocmask,sigpending
linux·运维·服务器·网络·数据结构·c++·算法
A.A呐3 小时前
【Linux第二十章】socket
linux
何中应3 小时前
Grafana如何重置密码
linux·运维·服务器·grafana
charlie1145141914 小时前
2026年正点原子开发板移植方案——从0开始的Rootfs之路(3)inittab 与 init 系统:Linux 启动的“第一号进程“全解析
linux·驱动开发·学习·嵌入式开发·嵌入式linux
xlp666hub4 小时前
深度剖析 Linux Input 子系统(3):从零写一个 Input 驱动,最详细手把手(附完整代码)
linux·面试
贺小涛4 小时前
jenkins
运维·jenkins
热门推荐
012026年3月AI领域大事件:DeepSeek引领开源风暴02GitHub 镜像站点03围棋-html版本04纯 HTML/CSS/JS 实现的高颜值登录页,还会眨眼睛!少女心爆棚!05班级宠物园部署指南06“wsl --install -d Ubuntu-22.04”下载慢,中国地区离线安装 Ubuntu 22.04 WSL方法(亲测2025年5月6日)07小黑课堂计算机二级WPSoffice题库软件下载安装教程(2026年3月最新版)08UV安装并设置国内源09OpenClaw 使用和管理 MCP 完全指南10中国象棋-html版本