{"id":604,"date":"2016-06-30T11:29:34","date_gmt":"2016-06-30T03:29:34","guid":{"rendered":"http:\/\/www.ipcpu.com\/?p=604"},"modified":"2016-06-30T11:29:34","modified_gmt":"2016-06-30T03:29:34","slug":"linux-mfa-c","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2016\/06\/linux-mfa-c\/","title":{"rendered":"Linux \u53cc\u56e0\u5b50\u8ba4\u8bc1\uff08\u5bc6\u7801+PIN\uff09C\u8bed\u8a00\u7248"},"content":{"rendered":"
<\/div>\n

Linux \u53cc\u56e0\u5b50\u8ba4\u8bc1\uff08\u5bc6\u7801+PIN\uff09C\u8bed\u8a00\u7248.md<\/p>\n

<\/p>\n

\u5173\u952e\u5b57<\/h2>\n

Linux C\u8bed\u8a00 PAM SSH 2 Two Multi Factor Authentication Login \u53cc\u56e0\u5b50 \u591a\u56e0\u5b50 \u5bc6\u4fdd TOKEN \u4e00\u6b21\u6027\u53e3\u4ee4 PASSPOD OTP yubikey \u8ba4\u8bc1 \u5b89\u5168 \u767b\u5f55<\/p>\n

\u5b9e\u73b0\u6548\u679c<\/h2>\n

\u6700\u7b80\u5355\u7684\u5b9e\u73b0\u7684\u65b9\u5f0f\uff0c\u7528\u6237SSH\u767b\u5f55\u65f6\u9700\u8981\u8f93\u5165\u7528\u6237\u540d+PIN+\u5bc6\u7801\u65b9\u5f0f\u624d\u80fd\u767b\u5f55\u3002
\n\u8fd9\u91cc\u7684PIN\u662f\u4e00\u4e2a\u5b57\u7b26\u4e32\uff0c\u4f8b\u5982\u201dipcpu.com\u201d\u6216\u8005\u7535\u8bdd\u53f7\u78016192*<\/em>\uff0c\u56fa\u5b9a\u6b7b\u7684\uff0c\u4e0d\u4f1a\u53d8\uff0c\u6240\u6709\u7528\u6237\u5171\u4eab\u3002<\/p>\n

  1. [<\/span>root@control<\/span>.<\/span>ipcpu<\/span>.<\/span>com <\/span>~]#<\/span> ssh ipcpu@211<\/span>.<\/span>81.175<\/span>.<\/span>101<\/span><\/code><\/li>
  2. PIN<\/span>:<\/span> <\/span>6192<\/span>***<\/span><\/code><\/li>
  3. Password<\/span>:<\/span><\/code><\/li>
  4. [<\/span>ipcpu@s18<\/span>.<\/span>ipcpu<\/span>.<\/span>com <\/span>~]<\/span>$<\/span><\/code><\/li>
  5. [<\/span>ipcpu@s18<\/span>.<\/span>ipcpu<\/span>.<\/span>com <\/span>~]<\/span>$<\/span><\/code><\/li>
  6. [<\/span>ipcpu@s18<\/span>.<\/span>ipcpu<\/span>.<\/span>com <\/span>~]<\/span>$id<\/span><\/code><\/li>
  7. uid<\/span>=<\/span>501<\/span>(<\/span>ipcpu<\/span>)<\/span> gid<\/span>=<\/span>501<\/span>(<\/span>ipcpu<\/span>)<\/span> groups<\/span>=<\/span>501<\/span>(<\/span>ipcpu<\/span>)<\/span><\/code><\/li><\/ol><\/pre>\n
    \u5b9e\u73b0\u4ee3\u7801\uff08C\u8bed\u8a00\uff09<\/h2>\n
    1. \/*******************************************************************************<\/span><\/code><\/li>
    2.  * file:        2ndfactor.c<\/span><\/code><\/li>
    3.  * author:      www.ipcpu.com<\/span><\/code><\/li>
    4.  * description: PAM module to provide 2 factor authentication<\/span><\/code><\/li>
    5. *******************************************************************************\/<\/span><\/code><\/li>
    6. #include<\/span> <\/span><stdio.h><\/span><\/code><\/li>
    7. #include<\/span> <\/span><stdlib.h><\/span><\/code><\/li>
    8. #include<\/span> <\/span><string.h><\/span><\/code><\/li>
    9. #include<\/span> <\/span><curl\/curl.h><\/span><\/code><\/li>
    10. #include<\/span> <\/span><security\/pam_appl.h><\/span><\/code><\/li>
    11. #include<\/span> <\/span><security\/pam_modules.h><\/span><\/code><\/li>
    12. <\/code><\/li>
    13. \/* expected hook *\/<\/span><\/code><\/li>
    14. PAM_EXTERN <\/span>int<\/span> pam_sm_setcred<\/span>(<\/span> <\/span>pam_handle_t<\/span> <\/span>*<\/span>pamh<\/span>,<\/span> <\/span>int<\/span> flags<\/span>,<\/span> <\/span>int<\/span> argc<\/span>,<\/span> <\/span>const<\/span> <\/span>char<\/span> <\/span>**<\/span>argv <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    15.     <\/span>return<\/span> PAM_SUCCESS <\/span>;<\/span><\/code><\/li>
    16. }<\/span><\/code><\/li>
    17. <\/code><\/li>
    18. <\/code><\/li>
    19. \/* this function is ripped from pam_unix\/support.c, it lets us do IO via PAM *\/<\/span><\/code><\/li>
    20. int<\/span> converse<\/span>(<\/span> <\/span>pam_handle_t<\/span> <\/span>*<\/span>pamh<\/span>,<\/span> <\/span>int<\/span> nargs<\/span>,<\/span> <\/span>struct<\/span> pam_message <\/span>**<\/span>message<\/span>,<\/span> <\/span>struct<\/span> pam_response <\/span>**<\/span>response <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    21.     <\/span>int<\/span> retval <\/span>;<\/span><\/code><\/li>
    22.     <\/span>struct<\/span> pam_conv <\/span>*<\/span>conv <\/span>;<\/span><\/code><\/li>
    23. <\/code><\/li>
    24.     retval <\/span>=<\/span> pam_get_item<\/span>(<\/span> pamh<\/span>,<\/span> PAM_CONV<\/span>,<\/span> <\/span>(<\/span>const<\/span> <\/span>void<\/span> <\/span>**)<\/span> <\/span>&<\/span>conv <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
    25.     <\/span>if<\/span>(<\/span> retval<\/span>==<\/span>PAM_SUCCESS <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    26.         retval <\/span>=<\/span> conv<\/span>-><\/span>conv<\/span>(<\/span> nargs<\/span>,<\/span> <\/span>(<\/span>const<\/span> <\/span>struct<\/span> pam_message <\/span>**)<\/span> message<\/span>,<\/span> response<\/span>,<\/span> conv<\/span>-><\/span>appdata_ptr <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
    27.     <\/span>}<\/span><\/code><\/li>
    28. <\/code><\/li>
    29.     <\/span>return<\/span> retval <\/span>;<\/span><\/code><\/li>
    30. }<\/span><\/code><\/li>
    31. <\/code><\/li>
    32. <\/code><\/li>
    33. \/* expected hook, this is where custom stuff happens *\/<\/span><\/code><\/li>
    34. PAM_EXTERN <\/span>int<\/span> pam_sm_authenticate<\/span>(<\/span> <\/span>pam_handle_t<\/span> <\/span>*<\/span>pamh<\/span>,<\/span> <\/span>int<\/span> flags<\/span>,<\/span>int<\/span> argc<\/span>,<\/span> <\/span>const<\/span> <\/span>char<\/span> <\/span>**<\/span>argv <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    35.     <\/span>int<\/span> retval <\/span>;<\/span><\/code><\/li>
    36.     <\/span>int<\/span> i <\/span>;<\/span><\/code><\/li>
    37. <\/code><\/li>
    38.     <\/span>\/* these guys will be used by converse() *\/<\/span><\/code><\/li>
    39.     <\/span>char<\/span> <\/span>*<\/span>input <\/span>;<\/span><\/code><\/li>
    40.     <\/span>char<\/span> <\/span>*<\/span>pin<\/span>=<\/span>\"6192***\"<\/span> <\/span>;<\/span><\/code><\/li>
    41.     <\/span>struct<\/span> pam_message msg<\/span>[<\/span>1<\/span>],*<\/span>pm\nsg<\/span>[<\/span>1<\/span>];<\/span><\/code><\/li>
    42.     <\/span>struct<\/span> pam_response <\/span>*<\/span>resp<\/span>;<\/span><\/code><\/li>
    43. <\/code><\/li>
    44.     <\/span>\/* getting the username that was used in the previous authentication *\/<\/span><\/code><\/li>
    45.     <\/span>const<\/span> <\/span>char<\/span> <\/span>*<\/span>username <\/span>;<\/span><\/code><\/li>
    46.         <\/span>if<\/span>(<\/span> <\/span>(<\/span>retval <\/span>=<\/span> pam_get_user<\/span>(<\/span>pamh<\/span>,&<\/span>username<\/span>,<\/span>\"login: \"<\/span>))!=<\/span>PAM_SUCCESS <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    47.         <\/span>return<\/span> retval <\/span>;<\/span><\/code><\/li>
    48.     <\/span>}<\/span><\/code><\/li>
    49. <\/code><\/li>
    50.     <\/span>\/*ak47@ipcpu.com,code start here!*\/<\/span><\/code><\/li>
    51. <\/code><\/li>
    52.     <\/span>\/* setting up conversation call prompting for one-time code *\/<\/span><\/code><\/li>
    53.     pmsg<\/span>[<\/span>0<\/span>]<\/span> <\/span>=<\/span> <\/span>&<\/span>msg<\/span>[<\/span>0<\/span>]<\/span> <\/span>;<\/span><\/code><\/li>
    54.     msg<\/span>[<\/span>0<\/span>].<\/span>msg_style <\/span>=<\/span> PAM_PROMPT_ECHO_ON <\/span>;<\/span><\/code><\/li>
    55.     msg<\/span>[<\/span>0<\/span>].<\/span>msg <\/span>=<\/span> <\/span>\"PIN: \"<\/span> <\/span>;<\/span><\/code><\/li>
    56.     <\/span>\/*variable resp used to recive keyboard input*\/<\/span><\/code><\/li>
    57.     resp <\/span>=<\/span> NULL <\/span>;<\/span><\/code><\/li>
    58.     <\/span>if<\/span>(<\/span> <\/span>(<\/span>retval <\/span>=<\/span> converse<\/span>(<\/span>pamh<\/span>,<\/span> <\/span>1<\/span> <\/span>,<\/span> pmsg<\/span>,<\/span> <\/span>&<\/span>resp<\/span>))!=<\/span>PAM_SUCCESS <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    59.         <\/span>\/\/ if this function fails, make sure that ChallengeResponseAuthentication in sshd_config is set to yes<\/span><\/code><\/li>
    60.         <\/span>return<\/span> retval <\/span>;<\/span><\/code><\/li>
    61.     <\/span>}<\/span><\/code><\/li>
    62. <\/code><\/li>
    63.     <\/span>\/* retrieving user input,give PIN to variable input *\/<\/span><\/code><\/li>
    64.     <\/span>if<\/span>(<\/span> resp <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    65.         <\/span>if<\/span>(<\/span> <\/span>(<\/span>flags <\/span>&<\/span> PAM_DISALLOW_NULL_AUTHTOK<\/span>)<\/span> <\/span>&&<\/span> resp<\/span>[<\/span>0<\/span>].<\/span>resp <\/span>==<\/span> NULL <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    66.                 free<\/span>(<\/span> resp <\/span>);<\/span><\/code><\/li>
    67.                 <\/span>return<\/span> PAM_AUTH_ERR<\/span>;<\/span><\/code><\/li>
    68.         <\/span>}<\/span><\/code><\/li>
    69.         input <\/span>=<\/span> resp<\/span>[<\/span> <\/span>0<\/span> <\/span>].<\/span>resp<\/span>;<\/span><\/code><\/li>
    70.         resp<\/span>[<\/span> <\/span>0<\/span> <\/span>].<\/span>resp <\/span>=<\/span> NULL<\/span>;<\/span><\/code><\/li>
    71.         <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span><\/code><\/li>
    72.         <\/span>return<\/span> PAM_CONV_ERR<\/span>;<\/span><\/code><\/li>
    73.     <\/span>}<\/span><\/code><\/li>
    74. <\/code><\/li>
    75.     <\/span>\/* comparing user input with known code *\/<\/span><\/code><\/li>
    76.     <\/span>if<\/span>(<\/span> strcmp<\/span>(<\/span>input<\/span>,<\/span> pin<\/span>)==<\/span>0<\/span> <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
    77.         <\/span>\/* good to go! *\/<\/span><\/code><\/li>
    78.         free<\/span>(<\/span> input <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
    79.         <\/span>return<\/span> PAM_SUCCESS <\/span>;<\/span><\/code><\/li>
    80.     <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span><\/code><\/li>
    81.         <\/span>\/* wrong pin *\/<\/span><\/code><\/li>
    82.         free<\/span>(<\/span> input <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
    83.         <\/span>return<\/span> PAM_AUTH_ERR <\/span>;<\/span><\/code><\/li>
    84.     <\/span>}<\/span><\/code><\/li>
    85. <\/code><\/li>
    86.     <\/span>\/* we shouldn't read this point, but if we do, we might as well return something bad *\/<\/span><\/code><\/li>
    87.     <\/span>return<\/span> PAM_AUTH_ERR <\/span>;<\/span><\/code><\/li>
    88. }<\/span><\/code><\/li><\/ol><\/pre>\n
      \u7f16\u8bd1\u65b9\u6cd5\uff1a<\/p>\n
      1. #@\u7f16\u8bd1\u4e4b\u524d\u9700\u8981\u5b89\u88c5pam-devel\u5305\uff0c\u5426\u5219\u4f1a\u62a5\u9519<\/span><\/code><\/li>
      2. gcc <\/span>-<\/span>fPIC <\/span>-<\/span>lcurl <\/span>-<\/span>c <\/span>2ndfactor<\/span>.<\/span>c<\/span><\/code><\/li>
      3. ld <\/span>-<\/span>x <\/span>--<\/span>shared <\/span>-<\/span>o <\/span>\/<\/span>lib<\/span>\/<\/span>security<\/span>\/<\/span>2ndfactor<\/span>.<\/span>so <\/span>2ndfactor<\/span>.<\/span>o<\/span><\/code><\/li><\/ol><\/pre>\n
        \u5c06\u5176\u914d\u7f6e\u5230\/etc\/pam.d\/sshd\uff0cSSH\u914d\u7f6e\u4e2d\u6253\u5f00ChallengeResponseAuthentication<\/p>\n
        1. [<\/span>root@IPCPU<\/span>-<\/span>11<\/span> <\/span>~]#<\/span> head <\/span>\/<\/span>etc<\/span>\/<\/span>pam<\/span>.<\/span>d<\/span>\/<\/span>sshd <\/span><\/code><\/li>
        2. #%PAM-1.0<\/span><\/code><\/li>
        3. auth        requisite   <\/span>2ndfactor<\/span>.<\/span>so<\/span><\/code><\/li>
        4. auth       required pam_sepermit<\/span>.<\/span>so<\/span><\/code><\/li>
        5. auth       include      password<\/span>-<\/span>auth<\/span><\/code><\/li>
        6. account    required     pam_nologin<\/span>.<\/span>so<\/span><\/code><\/li>
        7. account    include      password<\/span>-<\/span>auth<\/span><\/code><\/li>
        8. password   include      password<\/span>-<\/span>auth<\/span><\/code><\/li>
        9. # pam_selinux.so close should be the first session rule<\/span><\/code><\/li>
        10. session    required     pam_selinux<\/span>.<\/span>so close<\/span><\/code><\/li>
        11. session    required     pam_loginuid<\/span>.<\/span>so<\/span><\/code><\/li>
        12. [<\/span>root@IPCPU<\/span>-<\/span>11<\/span> <\/span>~]#<\/span> <\/span><\/code><\/li><\/ol><\/pre>\n
          \u8fdb\u9636-\u6bcf\u4e2a\u7528\u6237\u4f7f\u7528\u72ec\u7acb\u7684PIN<\/h2>\n
          \u4f7f\u7528\u56fa\u5b9a\u7684PIN\u4f18\u70b9\u592alow\u4e86\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u4ecb\u7ecd\u8fdb\u9636\u7684\u529e\u6cd5\uff0c\u6bcf\u4e2a\u4eba\u7528\u81ea\u5df1\u7684PIN\u3002 
          \n\u9996\u5148PIN\u9700\u8981\u6709\u4e2a\u5730\u65b9\u5b58\u653e\u8d77\u6765\uff0c\u6211\u4eec\u5c31\u76f4\u63a5\u4f7f\u7528\/etc\/passwd\u7684comment\u5b57\u6bb5\u6765\u5b58\u50a8\u3002 
          \n\u53ef\u4ee5\u901a\u8fc7\u547d\u4ee4 usermod\u6765\u4fee\u6539\u3002\u5982\u4e0b\uff0c<\/p>\n
          1. [<\/span>root@IPCPU<\/span>-<\/span>11<\/span> <\/span>~]#<\/span> usermod <\/span>-<\/span>c <\/span>6192<\/span>***<\/span> root<\/span><\/code><\/li>
          2. [<\/span>root@IPCPU<\/span>-<\/span>11<\/span> <\/span>~]#<\/span> cat <\/span>\/<\/span>etc<\/span>\/<\/span>passwd<\/span><\/code><\/li>
          3. root<\/span>:<\/span>x<\/span>:<\/span>0<\/span>:<\/span>0<\/span>:<\/span>6192<\/span>***:<\/span>\/root:\/<\/span>bin<\/span>\/<\/span>bash<\/span><\/code><\/li><\/ol><\/pre>\n
            PAM\u6a21\u5757\u4ee3\u7801<\/p>\n
            1. \/*******************************************************************************<\/span><\/code><\/li>
            2.  * file:        pin.c<\/span><\/code><\/li>
            3.  * author:      www.ipcpu.com<\/span><\/code><\/li>
            4.  * description: PAM module to provide 2 factor authentication<\/span><\/code><\/li>
            5. *******************************************************************************\/<\/span><\/code><\/li>
            6. #include<\/span> <\/span><stdio.h><\/span><\/code><\/li>
            7. #include<\/span> <\/span><stdlib.h><\/span><\/code><\/li>
            8. #include<\/span> <\/span><pwd.h><\/span><\/code><\/li>
            9. #include<\/span> <\/span><string.h><\/span><\/code><\/li>
            10. #include<\/span> <\/span><syslog.h><\/span><\/code><\/li>
            11. #include<\/span> <\/span><limits.h><\/span><\/code><\/li>
            12. #include<\/span> <\/span><security\/pam_appl.h><\/span><\/code><\/li>
            13. #include<\/span> <\/span><security\/pam_modules.h><\/span><\/code><\/li>
            14. \/\/#include <curl\/curl.h><\/span><\/code><\/li>
            15. \/* expected hook *\/<\/span><\/code><\/li>
            16. PAM_EXTERN <\/span>int<\/span> pam_sm_setcred<\/span>(<\/span> <\/span>pam_handle_t<\/span> <\/span>*<\/span>pamh<\/span>,<\/span> <\/span>int<\/span> flags<\/span>,<\/span> <\/span>int<\/span> argc<\/span>,<\/span> <\/span>const<\/span> <\/span>char<\/span> <\/span>**<\/span>argv <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            17.     <\/span>return<\/span> PAM_SUCCESS <\/span>;<\/span><\/code><\/li>
            18. }<\/span><\/code><\/li>
            19. \/* this function is ripped from pam_unix\/support.c, it lets us do IO via PAM *\/<\/span><\/code><\/li>
            20. int<\/span> converse<\/span>(<\/span> <\/span>pam_handle_t<\/span> <\/span>*<\/span>pamh<\/span>,<\/span> <\/span>int<\/span> nargs<\/span>,<\/span> <\/span>struct<\/span> pam_message <\/span>**<\/span>message<\/span>,<\/span> <\/span>struct<\/span> pam_response <\/span>**<\/span>response <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            21.     <\/span>int<\/span> retval <\/span>;<\/span><\/code><\/li>
            22.     <\/span>struct<\/span> pam_conv <\/span>*<\/span>conv <\/span>;<\/span><\/code><\/li>
            23.     retval <\/span>=<\/span> pam_get_item<\/span>(<\/span> pamh<\/span>,<\/span> PAM_CONV<\/span>,<\/span> <\/span>(<\/span>const<\/span> <\/span>void<\/span> <\/span>**)<\/span> <\/span>&<\/span>conv <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
            24.     <\/span>if<\/span>(<\/span> retval<\/span>==<\/span>PAM_SUCCESS <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            25.         retval <\/span>=<\/span> conv<\/span>-><\/span>conv<\/span>(<\/span> nargs<\/span>,<\/span> <\/span>(<\/span>const<\/span> <\/span>struct<\/span> pam_message <\/span>**)<\/span> message<\/span>,<\/span> response<\/span>,<\/span> conv<\/span>-><\/span>appdata_ptr <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
            26.     <\/span>}<\/span><\/code><\/li>
            27.     <\/span>return<\/span> retval <\/span>;<\/span><\/code><\/li>
            28. }<\/span><\/code><\/li>
            29. <\/code><\/li>
            30. <\/code><\/li>
            31. <\/code><\/li>
            32. \/* expected hook, this is where custom stuff happens *\/<\/span><\/code><\/li>
            33. PAM_EXTERN <\/span>int<\/span> pam_sm_authenticate<\/span>(<\/span> <\/span>pam_handle_t<\/span> <\/span>*<\/span>pamh<\/span>,<\/span> <\/span>int<\/span> flags<\/span>,<\/span>int<\/span> argc<\/span>,<\/span> <\/span>const<\/span> <\/span>char<\/span> <\/span>**<\/span>argv <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            34.     <\/span>int<\/span> retval <\/span>;<\/span><\/code><\/li>
            35.     <\/span>int<\/span> i <\/span>;<\/span><\/code><\/li>
            36.     <\/span>\/* these guys will be used by converse() *\/<\/span><\/code><\/li>
            37.     <\/span>char<\/span> <\/span>*<\/span>input <\/span>;<\/span><\/code><\/li>
            38.     <\/span>struct<\/span> pam_message msg<\/span>[<\/span>1<\/span>],*<\/span>pmsg<\/span>[<\/span>1<\/span>];<\/span><\/code><\/li>
            39.     <\/span>struct<\/span> pam_response <\/span>*<\/span>resp<\/span>;<\/span><\/code><\/li>
            40.     <\/span>\/* getting the username that was used in the previous authentication *\/<\/span><\/code><\/li>
            41.     <\/span>const<\/span> <\/span>char<\/span> <\/span>*<\/span>username <\/span>;<\/span><\/code><\/li>
            42. <\/code><\/li>
            43.     <\/span>if<\/span>(<\/span> <\/span>(<\/span>retval <\/span>=<\/span> pam_get_user<\/span>(<\/span>pamh<\/span>,&<\/span>username<\/span>,<\/span>\"login: \"<\/span>))!=<\/span>PAM_SUCCESS <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            44.        <\/span>return<\/span> retval <\/span>;<\/span><\/code><\/li>
            45.     <\/span>}<\/span><\/code><\/li>
            46. <\/code><\/li>
            47.     <\/span>\/* get user comment from \/etc\/passwd *\/<\/span><\/code><\/li>
            48.     <\/span>struct<\/span> passwd <\/span>*<\/span>pwd<\/span>;<\/span><\/code><\/li>
            49.     <\/span>struct<\/span> passwd pwdbuf<\/span>;<\/span><\/code><\/li>
            50.     <\/span>char<\/span> pwbuffer<\/span>[<\/span>2<\/span> <\/span>*<\/span> PATH_MAX<\/span>];<\/span><\/code><\/li>
            51.     <\/span>char<\/span> <\/span>*<\/span>gecos <\/span>;<\/span><\/code><\/li>
            52.     <\/span>if<\/span>(<\/span> <\/span>(<\/span>retval <\/span>=<\/span> getpwnam_r<\/span>(<\/span>username<\/span>,<\/span> <\/span>&<\/span>pwdbuf<\/span>,<\/span> pwbuffer<\/span>,<\/span> <\/span>sizeof<\/span>(<\/span>pwbuffer<\/span>),<\/span> <\/span>&<\/span>pwd<\/span>))!=<\/span>PAM_SUCCESS <\/span>||<\/span> NULL <\/span>==<\/span> pwd <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            53.         <\/span>\/\/syslog(LOG_ERR|LOG_AUTHPRIV, \"PIN-PAM:could not get comment.\" );<\/span><\/code><\/li>
            54.         <\/span>\/\/gecos = \"jshjdkshakg\";<\/span><\/code><\/li>
            55.         <\/span>\/\/syslog(LOG_ERR|LOG_AUTHPRIV, \"PIN-PAM:gecos:%s.\", gecos );<\/span><\/code><\/li>
            56.         <\/span>\/\/return retval ;<\/span><\/code><\/li>
            57.        <\/span>return<\/span> PAM_AUTH_ERR<\/span>;<\/span><\/code><\/li>
            58.      <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span><\/code><\/li>
            59.         gecos <\/span>=<\/span> pwd<\/span>-><\/span>pw_gecos<\/span>;<\/span><\/code><\/li>
            60.         <\/span>\/\/syslog(LOG_ERR|LOG_AUTHPRIV, \"PIN-PAM:get comment ok.\" );<\/span><\/code><\/li>
            61.         <\/span>\/\/syslog(LOG_ERR|LOG_AUTHPRIV, \"PIN-PAM:gecos:%s.\", gecos );<\/span><\/code><\/li>
            62.      <\/span>}<\/span><\/code><\/li>
            63. <\/code><\/li>
            64.     <\/span>\/* setting up conversation call prompting for one-time code *\/<\/span><\/code><\/li>
            65.     pmsg<\/span>[<\/span>0<\/span>]<\/span> <\/span>=<\/span> <\/span>&<\/span>msg<\/span>[<\/span>0<\/span>]<\/span> <\/span>;<\/span><\/code><\/li>
            66.     msg<\/span>[<\/span>0<\/span>].<\/span>msg_style <\/span>=<\/span> PAM_PROMPT_ECHO_OFF <\/span>;<\/span><\/code><\/li>
            67.     msg<\/span>[<\/span>0<\/span>].<\/span>msg <\/span>=<\/span> <\/span>\"PIN: \"<\/span> <\/span>;<\/span><\/code><\/li>
            68.     <\/span>\/*variable resp used to recive keyboard input*\/<\/span><\/code><\/li>
            69.     resp <\/span>=<\/span> NULL <\/span>;<\/span><\/code><\/li>
            70.     <\/span>if<\/span>(<\/span> <\/span>(<\/span>retval <\/span>=<\/span> converse<\/span>(<\/span>pamh<\/span>,<\/span> <\/span>1<\/span> <\/span>,<\/span> pmsg<\/span>,<\/span> <\/span>&<\/span>resp<\/span>))!=<\/span>PAM_SUCCESS <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            71.         <\/span>\/\/ if this function fails, make sure that ChallengeResponseAuthentication in sshd_config is set to yes<\/span><\/code><\/li>
            72.         <\/span>return<\/span> retval <\/span>;<\/span><\/code><\/li>
            73.     <\/span>}<\/span><\/code><\/li>
            74.     <\/span>\/* retrieving user input,give PIN to variable input *\/<\/span><\/code><\/li>
            75.     <\/span>if<\/span>(<\/span> resp <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            76.         <\/span>if<\/span>(<\/span> <\/span>(<\/span>flags <\/span>&<\/span> PAM_DISALLOW_NULL_AUTHTOK<\/span>)<\/span> <\/span>&&<\/span> resp<\/span>[<\/span>0<\/span>].<\/span>resp <\/span>==<\/span> NULL <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            77.                 free<\/span>(<\/span> resp <\/span>);<\/span><\/code><\/li>
            78.                 <\/span>return<\/span> PAM_AUTH_ERR<\/span>;<\/span><\/code><\/li>
            79.         <\/span>}<\/span><\/code><\/li>
            80.         input <\/span>=<\/span> resp<\/span>[<\/span> <\/span>0<\/span> <\/span>].<\/span>resp<\/span>;<\/span><\/code><\/li>
            81.         resp<\/span>[<\/span> <\/span>0<\/span> <\/span>].<\/span>resp <\/span>=<\/span> NULL<\/span>;<\/span><\/code><\/li>
            82.         <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span><\/code><\/li>
            83.         <\/span>return<\/span> PAM_CONV_ERR<\/span>;<\/span><\/code><\/li>
            84.     <\/span>}<\/span><\/code><\/li>
            85.     <\/span>\/* comparing user input with known code *\/<\/span><\/code><\/li>
            86.     <\/span>if<\/span>(<\/span> strcmp<\/span>(<\/span>input<\/span>,<\/span> gecos<\/span>)==<\/span>0<\/span> <\/span>)<\/span> <\/span>{<\/span><\/code><\/li>
            87.         <\/span>\/* right to go! *\/<\/span><\/code><\/li>
            88.         free<\/span>(<\/span> input <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
            89.         syslog<\/span>(<\/span>LOG_ERR<\/span>|<\/span>LOG_AUTHPRIV<\/span>,<\/span> <\/span>\"PIN-PAM:success.%s:%s.\"<\/span>,<\/span> username<\/span>,<\/span>gecos <\/span>);<\/span><\/code><\/li>
            90.         <\/span>return<\/span> PAM_SUCCESS <\/span>;<\/span><\/code><\/li>
            91.     <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span><\/code><\/li>
            92.         <\/span>\/* wrong pin !*\/<\/span><\/code><\/li>
            93.         free<\/span>(<\/span> input <\/span>)<\/span> <\/span>;<\/span><\/code><\/li>
            94.         syslog<\/span>(<\/span>LOG_ERR<\/span>|<\/span>LOG_AUTHPRIV<\/span>,<\/span> <\/span>\"PIN-PAM:failed.%s:%s.\"<\/span>,<\/span> username<\/span>,<\/span>gecos <\/span>);<\/span><\/code><\/li>
            95.         <\/span>return<\/span> PAM_AUTH_ERR <\/span>;<\/span><\/code><\/li>
            96.     <\/span>}<\/span><\/code><\/li>
            97.     <\/span>\/* we shouldn't read this point, but if we do, we might as well return something bad *\/<\/span><\/code><\/li>
            98.     <\/span>return<\/span> PAM_AUTH_ERR <\/span>;<\/span><\/code><\/li>
            99. }<\/span><\/code><\/li><\/ol><\/pre>\n
              \u53c2\u8003\u6587\u7ae0<\/h2>\n
              http:\/\/ben.akrin.com\/?p=1068<\/a><\/p>\n
              \u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1aIPCPU-\u7f51\u7edc\u4e4b\u8def<\/a> » Linux \u53cc\u56e0\u5b50\u8ba4\u8bc1\uff08\u5bc6\u7801+PIN\uff09C\u8bed\u8a00\u7248<\/a><\/p>","protected":false},"excerpt":{"rendered":"
              Linux \u53cc\u56e0\u5b50\u8ba4\u8bc1\uff08\u5bc6\u7801+PIN\uff09C\u8bed\u8a00\u7248.md \u5173\u952e\u5b57 Linux C\u8bed\u8a00 PAM SSH 2 Two Multi Factor Authentication Login \u53cc\u56e0\u5b50 \u591a\u56e0\u5b50 \u5bc6\u4fdd TOKEN \u4e00\u6b21\u6027\u53e3\u4ee4 PASSPOD OTP yubikey \u8ba4\u8bc1 \u5b89\u5168 \u767b\u5f55 \u5b9e\u73b0\u6548\u679c \u6700\u7b80\u5355\u7684\u5b9e\u73b0\u7684\u65b9\u5f0f\uff0c\u7528\u6237SSH\u767b\u5f55\u65f6\u9700\u8981\u8f93\u5165\u7528\u6237\u540d+PIN+\u5bc6\u7801\u65b9\u5f0f\u624d\u80fd\u767b\u5f55\u3002 \u8fd9\u91cc\u7684PIN\u662f\u4e00\u4e2a\u5b57\u7b26\u4e32\uff0c\u4f8b\u5982\u201dipcpu.com\u201d\u6216\u8005\u7535\u8bdd\u53f7\u78016192*\uff0c\u56fa\u5b9a\u6b7b\u7684\uff0c\u4e0d\u4f1a\u53d8\uff0c\u6240\u6709\u7528\u6237\u5171\u4eab\u3002 [root@control.ipcpu.com ~]# ssh ipcpu@211.81.175.101PIN: 6192***Password:[ipcpu@s18.ipcpu.com ~]$[ipcpu@s18.ipcpu.com ~]$[ipcpu@s18.ipcpu.com ~]$iduid=501(ipcpu) gid=501(ipcpu) groups=501(ipcpu) \u5b9e\u73b0\u4ee3\u7801\uff08C\u8bed\u8a00\uff09 \/******************************************************************************* * file: 2ndfactor.c * author: www.ipcpu.com * description: PAM module to provide 2 factor authentication*******************************************************************************\/#include <stdio.h>#include […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,13],"tags":[17,64,65,15],"_links":{"self":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/604"}],"collection":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/comments?post=604"}],"version-history":[{"count":0,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/604\/revisions"}],"wp:attachment":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/media?parent=604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/categories?post=604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/tags?post=604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}