我有一个启用了MFA并使用google-authenticator服务的堡垒服务器。但是我无法通过堡垒使用proxycommand:

> ssh -vvv -i ~/.ssh/file.pem  user@ip -o "proxycommand ssh -q -W %h:%p user@bastion"
OpenSSH_7.9p1 Ubuntu-10, OpenSSL 1.1.1b  26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname ip is address
debug1: Executing proxy command: exec ssh -q -W ip:22 user@bastion
debug1: identity file /home/user/.ssh/file.pem type -1
debug1: identity file /home/user/.ssh/file.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Ubuntu-10
Password:
Verification code:


connection exited by timeout


是否可以在MFA中使用proxycommand?

/etc/pam.d/common-session:

session [default=1]         pam_permit.so
session requisite           pam_deny.so
session required            pam_permit.so
session optional            pam_umask.so
session required    pam_unix.so
session optional    pam_systemd.so

auth required pam_google_authenticator.so nullok


/ etc / ssh / sshd_config:

PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes

UsePAM yes
X11Forwarding yes
PrintMotd no

AcceptEnv LANG LC_*
Subsystem   sftp    /usr/lib/openssh/sftp-server

最佳答案

问题出在防火墙规则上,proxycommand适用于MFA!

关于linux - 带有MFA的堡垒服务器,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/56584163/

10-12 22:31