我有一个启用了MFA且使用google-authenticator服务的堡垒服务器。但是我无法通过堡垒使用proxycommand:
> ssh -vvv -i ~/.ssh/file.pem user@ip -o "proxycommand ssh -q -W %h:%p user@bastion"
OpenSSH_7.9p1 Ubuntu-10, OpenSSL 1.1.1b 26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname ip is address
debug1: Executing proxy command: exec ssh -q -W ip:22 user@bastion
debug1: identity file /home/user/.ssh/file.pem type -1
debug1: identity file /home/user/.ssh/file.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Ubuntu-10
Password:
Verification code:
connection exited by timeout
是否可以在MFA中使用proxycommand?
/etc/pam.d/common-session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
auth required pam_google_authenticator.so nullok
/ etc / ssh / sshd_config:
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
答案 0 :(得分:0)
问题出在防火墙规则上,proxycommand适用于MFA!