-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #289 from TeraTermProject/#197_ssh_further_auth
SSH multiple required authentication #99
- Loading branch information
Showing
19 changed files
with
774 additions
and
142 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| FROM debian:trixie-20240701-slim | ||
| RUN apt-get update | ||
| RUN apt-get install -y sudo vim nano | ||
| RUN apt-get install -y libpam-google-authenticator openssh-server | ||
| # /etc/pam.d/sshd | ||
| COPY pam-sshd /tmp | ||
| RUN mv /etc/pam.d/sshd /etc/pam.d/sshd_orig \ | ||
| && mv /tmp/pam-sshd /etc/pam.d/sshd | ||
| # /etc/sshd/sshd_config | ||
| COPY ssh-sshd_config /tmp | ||
| RUN mv /etc/ssh/sshd_config /etc/ssh/sshd_config_orig \ | ||
| && mv /tmp/ssh-sshd_config /etc/ssh/sshd_config | ||
| # user 'test' | ||
| RUN useradd -m -p $(perl -e 'print crypt("password", "\$6\$salt03")') test | ||
| RUN mkdir ~test/.ssh && chown test:test ~test/.ssh && chmod go-rwx ~test/.ssh | ||
| COPY tt_test_key.pub /tmp | ||
| RUN mv /tmp/tt_test_key.pub ~test/.ssh/authorized_keys | ||
| RUN chown test:test ~test/.ssh/authorized_keys && chmod go-rwx ~test/.ssh/authorized_keys | ||
| # history | ||
| COPY bash_history /tmp | ||
| RUN mv /tmp/bash_history /root/.bash_history |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # SSH追加認証テスト環境 | ||
|
|
||
| 開発PC上にテスト用SSHサーバーを起動する | ||
|
|
||
| ## 参考資料 | ||
|
|
||
| - [Linux で SSH の 2 要素認証をセットアップする方法](https://ja.linux-console.net/?p=1141) | ||
|
|
||
| ## 作成済みキーペア | ||
|
|
||
| ユーザー'test'用 | ||
|
|
||
| - tt_test_key,tt_test_key.pub | ||
| - password | ||
| - 'pw' | ||
| ``` | ||
| $ ssh-keygen -f tt_test_key | ||
| Generating public/private ed25519 key pair. | ||
| tt_test_key already exists. | ||
| Overwrite (y/n)? y | ||
| Enter passphrase (empty for no passphrase): | ||
| Enter same passphrase again: | ||
| Your identification has been saved in tt_test_key | ||
| Your public key has been saved in tt_test_key.pub | ||
| The key fingerprint is: | ||
| SHA256:Cv0t1Dstw6kZ3bUAxRaXRkGYm8NTaCXi+da3vQq+Rxk masaaki@carbon | ||
| The key's randomart image is: | ||
| +--[ED25519 256]--+ | ||
| | ..+O*o | | ||
| | . +Bo+ | | ||
| | ++ = | | ||
| | . . o*E | | ||
| | . . S . +o= .| | ||
| | . + + * = oo| | ||
| | . + X.+ ...| | ||
| | =.+.. .| | ||
| | o oo... | | ||
| +----[SHA256]-----+ | ||
| ``` | ||
|
|
||
| ## TOTP設定 | ||
|
|
||
| TOTP Token Generator サイト(次のURL)を開いておく | ||
| - https://totp.danhersam.com/ | ||
|
|
||
| 次のコマンドを実行(ヒストリに入っているので、上矢印で出てくる) | ||
| ``` | ||
| # sudo -u test google-authenticator --time-based --qr-mode=NONE | ||
| ``` | ||
| 例 | ||
| ``` | ||
| Your new secret key is: WKCET2ZZESUZNNKC2LWUIZ4OHA | ||
| Enter code from app (-1 to skip): 539119 | ||
| Your emergency scratch codes are: | ||
| 56275753 | ||
| 27179741 | ||
| 85851173 | ||
| 47941584 | ||
| 35726819 | ||
| Do you want me to update your "/home/test/.google_authenticator" file? (y/n) y | ||
| : | ||
| : | ||
| ``` | ||
| - secret key をTOTP Token Generatorサイトに入力(ここでは`WKCET2ZZESUZNNKC2LWUIZ4OHA`) | ||
| - サイトに出力された6桁のコードを入力(ここでは'539119') | ||
| - `~/.google_authenticator` が生成される | ||
| - 残りは 'y' でok | ||
|
|
||
| ## テスト用sshd 起動 | ||
|
|
||
| - ポート22を使用していない状態にする | ||
| - Windowsの場合 | ||
| - [Docker Desktop for Windows](https://www.docker.com/get-started/) をインストールしておく | ||
| - `docker_build.bat` を実行する | ||
| - 作成済みテスト用ユーザー | ||
| - user | ||
| - test | ||
| - pw | ||
| - password | ||
| - rootでログインした状態になる | ||
|
|
||
| - /etc/ssh/sshd_config を調整 | ||
| `vi /etc/ssh/sshd_config` | ||
| - /etc/ssh/sshd_config を調整して sshd を起動 | ||
| `/usr/sbin/sshd -d` | ||
| - localhost:22 に接続可能となる | ||
|
|
||
| ### Tera Term から接続 | ||
|
|
||
| - `ssh://test@localhost` へ接続 | ||
| - SSH 認証チャレンジ Password: で | ||
| - `password` と入力 | ||
| - SSH 認証チャレンジ Verification code: で | ||
| - TOTP Token Generator サイトの 6桁の数字を入力 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| nano /etc/ssh/sshd_config | ||
| nano /etc/pam.d/sshd | ||
| sudo -u test google-authenticator --time-based --qr-mode=NONE | ||
| /usr/sbin/sshd -d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| setlocal | ||
| set CUR=%~dp0 | ||
| set PATH=C:\Program Files\Docker\Docker\resources;%PATH% | ||
| cd /d %CUR% | ||
| docker build -t teraterm_totp:1.0 -t teraterm_totp:latest . | ||
| docker run -it --rm --detach-keys="ctrl-t" --mount type=bind,src=%CUR%../..,dst=/mnt -p22:22 teraterm_totp:latest bash | ||
| pause | ||
| endlocal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| # PAM configuration for the Secure Shell service | ||
|
|
||
| # Standard Un*x authentication. | ||
| #@include common-auth | ||
|
|
||
| # Disallow non-root logins when /etc/nologin exists. | ||
| account required pam_nologin.so | ||
|
|
||
| # Uncomment and edit /etc/security/access.conf if you need to set complex | ||
| # access limits that are hard to express in sshd_config. | ||
| # account required pam_access.so | ||
|
|
||
| # Standard Un*x authorization. | ||
| @include common-account | ||
|
|
||
| # SELinux needs to be the first session rule. This ensures that any | ||
| # lingering context has been cleared. Without this it is possible that a | ||
| # module could execute code in the wrong domain. | ||
| session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
|
|
||
| # Set the loginuid process attribute. | ||
| session required pam_loginuid.so | ||
|
|
||
| # Create a new session keyring. | ||
| session optional pam_keyinit.so force revoke | ||
|
|
||
| # Standard Un*x session setup and teardown. | ||
| @include common-session | ||
|
|
||
| # Print the message of the day upon successful login. | ||
| # This includes a dynamically generated part from /run/motd.dynamic | ||
| # and a static (admin-editable) part from /etc/motd. | ||
| session optional pam_motd.so motd=/run/motd.dynamic | ||
| session optional pam_motd.so noupdate | ||
|
|
||
| # Print the status of the user's mailbox upon successful login. | ||
| session optional pam_mail.so standard noenv # [1] | ||
|
|
||
| # Set up user limits from /etc/security/limits.conf. | ||
| session required pam_limits.so | ||
|
|
||
| # Read environment variables from /etc/environment and | ||
| # /etc/security/pam_env.conf. | ||
| session required pam_env.so # [1] | ||
| # In Debian 4.0 (etch), locale-related environment variables were moved to | ||
| # /etc/default/locale, so read that as well. | ||
| session required pam_env.so envfile=/etc/default/locale | ||
|
|
||
| # SELinux needs to intervene at login time to ensure that the process starts | ||
| # in the proper default security context. Only sessions which are intended | ||
| # to run in the user's context should be run after this. | ||
| session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | ||
|
|
||
| # Standard Un*x password updating. | ||
| @include common-password | ||
|
|
||
| auth required pam_unix.so nullok | ||
| auth required pam_google_authenticator.so nullok | ||
| #auth required pam_permit.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # PAM configuration for the Secure Shell service | ||
|
|
||
| # Standard Un*x authentication. | ||
| @include common-auth | ||
|
|
||
| # Disallow non-root logins when /etc/nologin exists. | ||
| account required pam_nologin.so | ||
|
|
||
| # Uncomment and edit /etc/security/access.conf if you need to set complex | ||
| # access limits that are hard to express in sshd_config. | ||
| # account required pam_access.so | ||
|
|
||
| # Standard Un*x authorization. | ||
| @include common-account | ||
|
|
||
| # SELinux needs to be the first session rule. This ensures that any | ||
| # lingering context has been cleared. Without this it is possible that a | ||
| # module could execute code in the wrong domain. | ||
| session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
|
|
||
| # Set the loginuid process attribute. | ||
| session required pam_loginuid.so | ||
|
|
||
| # Create a new session keyring. | ||
| session optional pam_keyinit.so force revoke | ||
|
|
||
| # Standard Un*x session setup and teardown. | ||
| @include common-session | ||
|
|
||
| # Print the message of the day upon successful login. | ||
| # This includes a dynamically generated part from /run/motd.dynamic | ||
| # and a static (admin-editable) part from /etc/motd. | ||
| session optional pam_motd.so motd=/run/motd.dynamic | ||
| session optional pam_motd.so noupdate | ||
|
|
||
| # Print the status of the user's mailbox upon successful login. | ||
| session optional pam_mail.so standard noenv # [1] | ||
|
|
||
| # Set up user limits from /etc/security/limits.conf. | ||
| session required pam_limits.so | ||
|
|
||
| # Read environment variables from /etc/environment and | ||
| # /etc/security/pam_env.conf. | ||
| session required pam_env.so # [1] | ||
| # In Debian 4.0 (etch), locale-related environment variables were moved to | ||
| # /etc/default/locale, so read that as well. | ||
| session required pam_env.so envfile=/etc/default/locale | ||
|
|
||
| # SELinux needs to intervene at login time to ensure that the process starts | ||
| # in the proper default security context. Only sessions which are intended | ||
| # to run in the user's context should be run after this. | ||
| session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | ||
|
|
||
| # Standard Un*x password updating. | ||
| @include common-password | ||
|
|
Oops, something went wrong.