最新消息:
    你的位置:IPCPU-网络之路 > IT技术 > Linux 双因子认证(密码+PIN)C语言版

    Linux 双因子认证(密码+PIN)C语言版

    IT技术 ipcpu 6015浏览

    Linux 双因子认证(密码+PIN)C语言版.md

    关键字

    Linux C语言 PAM SSH 2 Two Multi Factor Authentication Login 双因子 多因子 密保 TOKEN 一次性口令 PASSPOD OTP yubikey 认证 安全 登录

    实现效果

    最简单的实现的方式,用户SSH登录时需要输入用户名+PIN+密码方式才能登录。
    这里的PIN是一个字符串,例如”ipcpu.com”或者电话号码6192*,固定死的,不会变,所有用户共享。

    1. [root@control.ipcpu.com ~]# ssh ipcpu@211.81.175.101
    2. PIN: 6192***
    3. Password:
    4. [ipcpu@s18.ipcpu.com ~]$
    5. [ipcpu@s18.ipcpu.com ~]$
    6. [ipcpu@s18.ipcpu.com ~]$id
    7. uid=501(ipcpu) gid=501(ipcpu) groups=501(ipcpu)

    实现代码(C语言)

    1. /*******************************************************************************
    2.  * file:        2ndfactor.c
    3.  * author:      www.ipcpu.com
    4.  * description: PAM module to provide 2 factor authentication
    5. *******************************************************************************/
    6. #include <stdio.h>
    7. #include <stdlib.h>
    8. #include <string.h>
    9. #include <curl/curl.h>
    10. #include <security/pam_appl.h>
    11. #include <security/pam_modules.h>
    13. /* expected hook */
    14. PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) {
    15.     return PAM_SUCCESS ;
    16. }
    19. /* this function is ripped from pam_unix/support.c, it lets us do IO via PAM */
    20. int converse( pam_handle_t *pamh, int nargs, struct pam_message **message, struct pam_response **response ) {
    21.     int retval ;
    22.     struct pam_conv *conv ;
    24.     retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
    25.     if( retval==PAM_SUCCESS ) {
    26.         retval = conv->conv( nargs, (const struct pam_message **) message, response, conv->appdata_ptr ) ;
    27.     }
    29.     return retval ;
    30. }
    33. /* expected hook, this is where custom stuff happens */
    34. PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) {
    35.     int retval ;
    36.     int i ;
    38.     /* these guys will be used by converse() */
    39.     char *input ;
    40.     char *pin="6192***" ;
    41.     struct pam_message msg[1],*pm
sg[1];
    42.     struct pam_response *resp;
    44.     /* getting the username that was used in the previous authentication */
    45.     const char *username ;
    46.         if( (retval = pam_get_user(pamh,&username,"login: "))!=PAM_SUCCESS ) {
    47.         return retval ;
    48.     }
    50.     /*ak47@ipcpu.com,code start here!*/
    52.     /* setting up conversation call prompting for one-time code */
    53.     pmsg[0] = &msg[0] ;
    54.     msg[0].msg_style = PAM_PROMPT_ECHO_ON ;
    55.     msg[0].msg = "PIN: " ;
    56.     /*variable resp used to recive keyboard input*/
    57.     resp = NULL ;
    58.     if( (retval = converse(pamh, 1 , pmsg, &resp))!=PAM_SUCCESS ) {
    59.         // if this function fails, make sure that ChallengeResponseAuthentication in sshd_config is set to yes
    60.         return retval ;
    61.     }
    63.     /* retrieving user input,give PIN to variable input */
    64.     if( resp ) {
    65.         if( (flags & PAM_DISALLOW_NULL_AUTHTOK) && resp[0].resp == NULL ) {
    66.                 free( resp );
    67.                 return PAM_AUTH_ERR;
    68.         }
    69.         input = resp[ 0 ].resp;
    70.         resp[ 0 ].resp = NULL;
    71.         } else {
    72.         return PAM_CONV_ERR;
    73.     }
    75.     /* comparing user input with known code */
    76.     if( strcmp(input, pin)==0 ) {
    77.         /* good to go! */
    78.         free( input ) ;
    79.         return PAM_SUCCESS ;
    80.     } else {
    81.         /* wrong pin */
    82.         free( input ) ;
    83.         return PAM_AUTH_ERR ;
    84.     }
    86.     /* we shouldn't read this point, but if we do, we might as well return something bad */
    87.     return PAM_AUTH_ERR ;
    88. }

    编译方法:

    1. #@编译之前需要安装pam-devel包,否则会报错
    2. gcc -fPIC -lcurl -c 2ndfactor.c
    3. ld -x --shared -o /lib/security/2ndfactor.so 2ndfactor.o

    将其配置到/etc/pam.d/sshd,SSH配置中打开ChallengeResponseAuthentication

    1. [root@IPCPU-11 ~]# head /etc/pam.d/sshd 
    2. #%PAM-1.0
    3. auth        requisite   2ndfactor.so
    4. auth       required pam_sepermit.so
    5. auth       include      password-auth
    6. account    required     pam_nologin.so
    7. account    include      password-auth
    8. password   include      password-auth
    9. # pam_selinux.so close should be the first session rule
    10. session    required     pam_selinux.so close
    11. session    required     pam_loginuid.so
    12. [root@IPCPU-11 ~]#

    进阶-每个用户使用独立的PIN

    使用固定的PIN优点太low了,接下来我们介绍进阶的办法,每个人用自己的PIN。
    首先PIN需要有个地方存放起来,我们就直接使用/etc/passwd的comment字段来存储。
    可以通过命令 usermod来修改。如下,

    1. [root@IPCPU-11 ~]# usermod -c 6192*** root
    2. [root@IPCPU-11 ~]# cat /etc/passwd
    3. root:x:0:0:6192***:/root:/bin/bash

    PAM模块代码

    1. /*******************************************************************************
    2.  * file:        pin.c
    3.  * author:      www.ipcpu.com
    4.  * description: PAM module to provide 2 factor authentication
    5. *******************************************************************************/
    6. #include <stdio.h>
    7. #include <stdlib.h>
    8. #include <pwd.h>
    9. #include <string.h>
    10. #include <syslog.h>
    11. #include <limits.h>
    12. #include <security/pam_appl.h>
    13. #include <security/pam_modules.h>
    14. //#include <curl/curl.h>
    15. /* expected hook */
    16. PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) {
    17.     return PAM_SUCCESS ;
    18. }
    19. /* this function is ripped from pam_unix/support.c, it lets us do IO via PAM */
    20. int converse( pam_handle_t *pamh, int nargs, struct pam_message **message, struct pam_response **response ) {
    21.     int retval ;
    22.     struct pam_conv *conv ;
    23.     retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
    24.     if( retval==PAM_SUCCESS ) {
    25.         retval = conv->conv( nargs, (const struct pam_message **) message, response, conv->appdata_ptr ) ;
    26.     }
    27.     return retval ;
    28. }
    32. /* expected hook, this is where custom stuff happens */
    33. PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) {
    34.     int retval ;
    35.     int i ;
    36.     /* these guys will be used by converse() */
    37.     char *input ;
    38.     struct pam_message msg[1],*pmsg[1];
    39.     struct pam_response *resp;
    40.     /* getting the username that was used in the previous authentication */
    41.     const char *username ;
    43.     if( (retval = pam_get_user(pamh,&username,"login: "))!=PAM_SUCCESS ) {
    44.        return retval ;
    45.     }
    47.     /* get user comment from /etc/passwd */
    48.     struct passwd *pwd;
    49.     struct passwd pwdbuf;
    50.     char pwbuffer[2 * PATH_MAX];
    51.     char *gecos ;
    52.     if( (retval = getpwnam_r(username, &pwdbuf, pwbuffer, sizeof(pwbuffer), &pwd))!=PAM_SUCCESS || NULL == pwd ) {
    53.         //syslog(LOG_ERR|LOG_AUTHPRIV, "PIN-PAM:could not get comment." );
    54.         //gecos = "jshjdkshakg";
    55.         //syslog(LOG_ERR|LOG_AUTHPRIV, "PIN-PAM:gecos:%s.", gecos );
    56.         //return retval ;
    57.        return PAM_AUTH_ERR;
    58.      } else {
    59.         gecos = pwd->pw_gecos;
    60.         //syslog(LOG_ERR|LOG_AUTHPRIV, "PIN-PAM:get comment ok." );
    61.         //syslog(LOG_ERR|LOG_AUTHPRIV, "PIN-PAM:gecos:%s.", gecos );
    62.      }
    64.     /* setting up conversation call prompting for one-time code */
    65.     pmsg[0] = &msg[0] ;
    66.     msg[0].msg_style = PAM_PROMPT_ECHO_OFF ;
    67.     msg[0].msg = "PIN: " ;
    68.     /*variable resp used to recive keyboard input*/
    69.     resp = NULL ;
    70.     if( (retval = converse(pamh, 1 , pmsg, &resp))!=PAM_SUCCESS ) {
    71.         // if this function fails, make sure that ChallengeResponseAuthentication in sshd_config is set to yes
    72.         return retval ;
    73.     }
    74.     /* retrieving user input,give PIN to variable input */
    75.     if( resp ) {
    76.         if( (flags & PAM_DISALLOW_NULL_AUTHTOK) && resp[0].resp == NULL ) {
    77.                 free( resp );
    78.                 return PAM_AUTH_ERR;
    79.         }
    80.         input = resp[ 0 ].resp;
    81.         resp[ 0 ].resp = NULL;
    82.         } else {
    83.         return PAM_CONV_ERR;
    84.     }
    85.     /* comparing user input with known code */
    86.     if( strcmp(input, gecos)==0 ) {
    87.         /* right to go! */
    88.         free( input ) ;
    89.         syslog(LOG_ERR|LOG_AUTHPRIV, "PIN-PAM:success.%s:%s.", username,gecos );
    90.         return PAM_SUCCESS ;
    91.     } else {
    92.         /* wrong pin !*/
    93.         free( input ) ;
    94.         syslog(LOG_ERR|LOG_AUTHPRIV, "PIN-PAM:failed.%s:%s.", username,gecos );
    95.         return PAM_AUTH_ERR ;
    96.     }
    97.     /* we shouldn't read this point, but if we do, we might as well return something bad */
    98.     return PAM_AUTH_ERR ;
    99. }

    参考文章

    http://ben.akrin.com/?p=1068

    转载请注明:IPCPU-网络之路 » Linux 双因子认证(密码+PIN)C语言版

    与本文相关的文章