我有一个堡垒服务器,使用 google-authenticator 服务启用了 MFA。但我无法通过我的堡垒使用 proxycommand:
> ssh -vvv -i ~/.ssh/file.pem user@ip -o "proxycommand ssh -q -W %h:%p user@bastion"
OpenSSH_7.9p1 Ubuntu-10, OpenSSL 1.1.1b 26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname ip is address
debug1: Executing proxy command: exec ssh -q -W ip:22 user@bastion
debug1: identity file /home/user/.ssh/file.pem type -1
debug1: identity file /home/user/.ssh/file.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Ubuntu-10
Password:
Verification code:
connection exited by timeout
是否可以将 proxycommand 与 MFA 结合使用?
/etc/pam.d/common-session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
auth required pam_google_authenticator.so nullok
/etc/ssh/sshd_config:
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
最佳答案
问题出在防火墙规则上,proxycommand 可与 MFA 配合使用!
关于linux - 具有 MFA 的堡垒服务器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56584163/