DR: executei o google-authenticator quando logado como usuário root. Eu deveria ter executado isso como minha conta de usuário normal.
Acabei de instalar o Debian 12 em um Apple Mac Mini sobressalente. Quero controlá-lo via SSH do meu iMac. Quero usar chaves SSH com uma senha longa e também quero usar o Google Authenticator para autenticação multifator.
No iMac, criei chaves ssh usando ssh-keygen -t rsa e especifiquei uma senha longa. Em seguida, usei ssh-copy-id [email protected] para copiar a chave pública para o servidor Debian remoto.
Eu queria desabilitar o login somente com senha, então adicionei as duas linhas a seguir no final de /etc/ssh/sshd_config:
Match User david
PasswordAuthentication no
Em seguida, executei systemctl restart sshd e efetuei logout da máquina remota. Tentei fazer login novamente e me pediram a senha, mas não a senha. Até agora tudo bem.
Em seguida, segui estes dois guias para configurar o Google Authenticator: Guia 1 Guia 2
(Eu loguei como usuário root, então não precisei adicionar sudo no início de tudo...)
Especificamente:
apt install -y libpam-google-authenticator
google-authenticator
(answered yes to all four questions asked by Google Authenticator setup)
nano /etc/ssh/sshd_config
->Set UsePAM yes
->Added a line at the end of the file "ChallengeResponseAuthentication yes"
->Added another line at the end of the file "AuthenticationMethods publickey,keyboard-interactive"
->Saved and closed /etc/ssh/sshd_config
nano /etc/pam.d/sshd
->Commented out the line "@include common-auth"
->Added a line at the end of the file "auth required pam_google_authenticator.so"
->Saved and closed /etc/pam.d/sshd
systemctl restart ssh
Tentei fazer login com uma janela de terminal diferente no meu iMac, mas recebi o seguinte erro:
Desconexão recebida da porta 192.168.4.7 22:2: nenhum método de autenticação ativado
Desconectado da porta 192.168.4.7 22
Consegui reverter minhas alterações nos dois arquivos e reconectar apenas usando a senha. No entanto, não consigo solicitar minha senha e o código do Google Authenticator.
O que estou fazendo de errado, por favor?
Encontrei um problema semelhante , mas a única resposta não fornece detalhes suficientes.
Em seguida, certifique-se de que a autenticação PAM seja exigida pela sua configuração (a parte da autenticação de senha PAM será ignorada se o método de autenticação de chave pública for bem-sucedido). Você pode fazer isso definindo AuthenticationMethods apropriados em sshd_config.
Infelizmente, eles não explicam como definir "AutenticationMethods apropriados em sshd_config", então isso não é de muita ajuda para mim ...
Agradeço antecipadamente.
Conteúdo completo de /etc/ssh/sshd_config:
Include /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
ChallengeResponseAuthentication yes
Match User david
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
(além de um monte de outras linhas que omiti porque estão comentadas).
Conteúdo completo de /etc/pam.d/sshd:
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
auth required pam_google_authenticator.so
(além de um monte de outras linhas que omiti porque estão comentadas)
Atualize após ser avisado para verificar os logs do Zoredache nos comentários...
Saída completa de ssh -vvv [email protected] executado no iMac ao tentar conectar-se ao Mac Mini:
$ ssh -vvv [email protected]
OpenSSH_9.6p1, LibreSSL 3.3.6
[omitting a very long log file with no useful information as this website has a character limit and I would exceed it if I kept this here]
debug3: kex_input_ext_info: extension [email protected]
debug1: kex_ext_info_check_ver: [email protected]=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 1
Received disconnect from 192.168.4.7 port 22:2: no authentication methods enabled
Disconnected from 192.168.4.7 port 22
...nada muito útil aí. Verificando os registros no Mac Mini:
$ journalctl --since "1 hour ago"
Jul 09 06:50:05 docker1 sshd[10682]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive"
Jul 09 06:50:05 docker1 sshd[10682]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping
Jul 09 06:50:05 docker1 sshd[10682]: error: No AuthenticationMethods left after eliminating disabled methods
Jul 09 06:50:05 docker1 sshd[10682]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive" [preauth]
Jul 09 06:50:05 docker1 sshd[10682]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping [preauth]
Jul 09 06:50:05 docker1 sshd[10682]: error: No AuthenticationMethods left after eliminating disabled methods [preauth]
Jul 09 06:50:05 docker1 sshd[10682]: Disconnecting authenticating user david 192.168.4.6 port 50344: no authentication methods enabled [preauth]
Jul 09 06:53:00 docker1 sshd[10702]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive"
Jul 09 06:53:00 docker1 sshd[10702]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping
Jul 09 06:53:00 docker1 sshd[10702]: error: No AuthenticationMethods left after eliminating disabled methods
Jul 09 06:53:00 docker1 sshd[10702]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive" [preauth]
Jul 09 06:53:00 docker1 sshd[10702]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping [preauth]
Jul 09 06:53:00 docker1 sshd[10702]: error: No AuthenticationMethods left after eliminating disabled methods [preauth]
Jul 09 06:53:00 docker1 sshd[10702]: Disconnecting authenticating user david 192.168.4.6 port 50587: no authentication methods enabled [preauth]
Ah-hah!
Pesquisei no Google, encontrei this e anotei especificamente a citação sobre "KbdInteractiveAuthentication".
Então entrei em /etc/ssh/sshd_config e mudei KbdInteractiveAuthenticationde não para sim. Eu também comentei a linha, ChallengeResponseAuthentication yespois ela parece estar obsoleta.
systemctl restart sshd
Então tentei fazer login novamente. Eu cheguei mais perto; Pediram-me a senha e o código do Google Authenticator. No entanto, o código do Google Authenticator foi rejeitado repetidamente e não consegui fazer login.
$ ssh -vvv [email protected]
OpenSSH_9.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/david/.ssh/config
debug1: /Users/david/.ssh/config line 1: Applying options for 192.168.4.7
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.4.7 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/david/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/david/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.4.7 [192.168.4.7] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /Users/david/.ssh/docker1_id_rsa type 0
debug1: identity file /Users/david/.ssh/docker1_id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u3
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.4.7:22 as 'david'
debug3: record_hostkey: found key type ED25519 in file /Users/david/.ssh/known_hosts:31
debug3: record_hostkey: found key type RSA in file /Users/david/.ssh/known_hosts:32
debug3: record_hostkey: found key type ECDSA in file /Users/david/.ssh/known_hosts:33
debug3: load_hostkeys_file: loaded 3 keys from 192.168.4.7
debug1: load_hostkeys: fopen /Users/david/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type [email protected], using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected]
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,[email protected]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:YqWOIqPh7NqasxGY07Yef+WDD52F/48qBkbiWlQxIE8
debug3: record_hostkey: found key type ED25519 in file /Users/david/.ssh/known_hosts:31
debug3: record_hostkey: found key type RSA in file /Users/david/.ssh/known_hosts:32
debug3: record_hostkey: found key type ECDSA in file /Users/david/.ssh/known_hosts:33
debug3: load_hostkeys_file: loaded 3 keys from 192.168.4.7
debug1: load_hostkeys: fopen /Users/david/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.4.7' is known and matches the ED25519 host key.
debug1: Found key in /Users/david/.ssh/known_hosts:31
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug3: kex_input_ext_info: extension [email protected]
debug1: kex_ext_info_check_ver: [email protected]=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug3: ssh_get_authentication_socket_path: path '/private/tmp/com.apple.launchd.7ZPATgtfUu/Listeners'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/david/.ssh/docker1_id_rsa RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 explicit
debug2: pubkey_prepare: done
debug1: Offering public key: /Users/david/.ssh/docker1_id_rsa RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/david/.ssh/docker1_id_rsa RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 explicit
debug3: sign_and_send_pubkey: using [email protected] with RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0
Enter passphrase for key '/Users/david/.ssh/docker1_id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/Users/david/.ssh/docker1_id_rsa':
debug3: send packet: type 50
debug3: receive packet: type 51
Authenticated using "publickey" with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
([email protected]) Verification code:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
([email protected]) Verification code:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
([email protected]) Verification code:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (keyboard-interactive).
No Mac Mini:
journalctl --since "2 minutes ago"
Jul 09 07:20:18 docker1 sshd(pam_google_authenticator)[10989]: Failed to read "/home/david/.google_authenticator" for "david"
Jul 09 07:20:18 docker1 sshd(pam_google_authenticator)[10989]: No secret configured for user david, asking for code anyway.
Jul 09 07:20:25 docker1 sshd(pam_google_authenticator)[10989]: Invalid verification code for david
Jul 09 07:20:25 docker1 sshd[10987]: error: PAM: Authentication failure for david from 192.168.4.6
Jul 09 07:20:25 docker1 sshd(pam_google_authenticator)[10993]: Failed to read "/home/david/.google_authenticator" for "david"
Jul 09 07:20:25 docker1 sshd(pam_google_authenticator)[10993]: No secret configured for user david, asking for code anyway.
Jul 09 07:20:33 docker1 sshd(pam_google_authenticator)[10993]: Invalid verification code for david
Jul 09 07:20:33 docker1 sshd[10987]: error: PAM: Authentication failure for david from 192.168.4.6
Jul 09 07:20:33 docker1 sshd(pam_google_authenticator)[10996]: Failed to read "/home/david/.google_authenticator" for "david"
Jul 09 07:20:33 docker1 sshd(pam_google_authenticator)[10996]: No secret configured for user david, asking for code anyway.
Jul 09 07:20:42 docker1 sshd(pam_google_authenticator)[10996]: Invalid verification code for david
Jul 09 07:20:42 docker1 sshd[10987]: error: PAM: Authentication failure for david from 192.168.4.6
Jul 09 07:20:42 docker1 sshd[10987]: Connection closed by authenticating user david 192.168.4.6 port 52983 [preauth]
Então corri ls -aslpara dentro /home/david/e percebi /home/david/.google_authenticatorque nem existe.
Pesquisando um pouco mais no Google, finalmente encontrei isso e percebi que executei a configuração/configuração do Google Authenticator quando conectado como usuário root, não como usuário David. Verificando /root/, encontrei o arquivo .google_authenticator lá. Eu não tinha percebido que a configuração do Google Authenticator deveria ser executada como o usuário que precisa desse método de autenticação. Em retrospectiva, se eu realmente tivesse usado meus olhos, isso deveria ter sido óbvio, porque a descrição do código no aplicativo Google Authenticator mostra root@hostname, não david@hostname.
su david
google-authenticate
(Answer yes to everything and create a new code)
Em seguida, tentei fazer login mais uma vez e, desta vez, a senha e o código do Google Authenticator foram solicitados e consegui fazer login com sucesso.
Executei o google-authenticator quando logado como usuário root. Eu deveria ter executado isso como minha conta de usuário normal.