使用Pam-Python实现SSH短信双因素认证教学文档<\/h1>

一、双因素认证概述<\/h2>
双因素认证(2FA)是一种安全机制，要求用户提供两种不同类型的认证因素来验证身份。本文介绍如何使用Python的pam_python模块为SSH登录实现短信验证码形式的双因素认证。<\/p>
常见的双因素认证方案：<\/p>
短信验证码<\/li>
RSA动态令牌<\/li>
Google Authenticator<\/li>
Duo<\/li> <\/ul>
二、PAM模块基础<\/h2>
PAM(Pluggable Authentication Module)是Linux中的可插拔认证模块机制，特点：<\/p>
模块化设计和插件功能<\/li>
无需修改应用程序即可插入新认证模块<\/li>
详细参考：http:\/\/www.infoq.com\/cn\/articles\/linux-pam-one<\/li> <\/ul>
三、pam_python模块安装<\/h2>

1. 安装依赖<\/h3>
yum install pam pam-devel -y
<\/span><\/span><\/code><\/pre>2. 下载并编译pam_python<\/h3>
wget -O pam-python_1.0.6.tar.gz https:\/\/sourceforge.net\/projects\/pam-python\/files\/latest\/download?source=<\/span>files --no-check-certificate
<\/span><\/span>tar xvf pam-python_1.0.6.tar.gz
<\/span><\/span>cd pam-python_1.0.6
<\/span><\/span>make lib
<\/span><\/span>cp src\/build\/lib.linux-x86_64-2.7\/pam_python.so \/lib64\/security\/
<\/span><\/span><\/code><\/pre>四、短信双因素认证实现<\/h2>
1. 核心Python脚本<\/h3>
完整代码保存为\/lib64\/security\/Multiauth.py<\/code>：<\/p>
# -*- coding: utf-8 -*-<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> random,<\/span> string,<\/span> hashlib,<\/span> requests
<\/span><\/span>import<\/span> urllib,<\/span> urllib2
<\/span><\/span>import<\/span> pwd,<\/span> syslog
<\/span><\/span>
<\/span><\/span>class<\/span> SMSOperation<\/span>:
<\/span><\/span>    """短信发送接口"""<\/span>
<\/span><\/span>    def<\/span> __init__(self, pin, phone_num):
<\/span><\/span>        self.<\/span>pin =<\/span> pin
<\/span><\/span>        self.<\/span>phone_num =<\/span> phone_num
<\/span><\/span>        self.<\/span>url =<\/span> "短信服务地址"<\/span>
<\/span><\/span>        self.<\/span>params =<\/span> {
<\/span><\/span>            "account"<\/span>: "短信服务用户名"<\/span>,
<\/span><\/span>            "pswd"<\/span>: "短信服务密码"<\/span>,
<\/span><\/span>            "msg"<\/span>: "One Time Pin:"<\/span> +<\/span> str(pin),
<\/span><\/span>            "mobile"<\/span>: str(phone_num),
<\/span><\/span>            "needstatus"<\/span>: "false"<\/span>,
<\/span><\/span>            "extno"<\/span>: ""<\/span>
<\/span><\/span>        }
<\/span><\/span>    
<\/span><\/span>    def<\/span> parse_number<\/span>(self):
<\/span><\/span>        """设置用户手机号参数"""<\/span>
<\/span><\/span>        try<\/span>:
<\/span><\/span>            self.<\/span>params['mobile'<\/span>] =<\/span> self.<\/span>phone_num
<\/span><\/span>            return<\/span> 1<\/span>
<\/span><\/span>        except<\/span>:
<\/span><\/span>            auth_log("Invalid phone number <\/span>%s<\/span>. Please check."<\/span> %<\/span> (user))
<\/span><\/span>    
<\/span><\/span>    def<\/span> send_text<\/span>(self, pamh):
<\/span><\/span>        """发送请求"""<\/span>
<\/span><\/span>        try<\/span>:
<\/span><\/span>            self.<\/span>parse_number()
<\/span><\/span>        except<\/span>:
<\/span><\/span>            auth_log("Invalid phone number <\/span>%s<\/span>. Please check."<\/span> %<\/span> (user))
<\/span><\/span>            msg =<\/span> pamh.<\/span>Message(pamh.<\/span>PAM_ERROR_MSG, "The params are : (<\/span>%s<\/span>)"<\/span> %<\/span> (self.<\/span>params))
<\/span><\/span>            pamh.<\/span>conversation(msg)
<\/span><\/span>        
<\/span><\/span>        resp =<\/span> requests.<\/span>post(self.<\/span>url, data=<\/span>self.<\/span>params)
<\/span><\/span>        temp =<\/span> resp.<\/span>content.<\/span>split(','<\/span>)[1<\/span>]
<\/span><\/span>        if<\/span>(temp !=<\/span> 0<\/span>):
<\/span><\/span>            auth_log("Message cannot be sent to (<\/span>%s<\/span>), please check."<\/span> %<\/span> (self.<\/span>phone_num))
<\/span><\/span>
<\/span><\/span>def<\/span> auth_log<\/span>(msg):
<\/span><\/span>    """保存日志到\/var\/log\/messages"""<\/span>
<\/span><\/span>    syslog.<\/span>openlog(facility=<\/span>syslog.<\/span>LOG_AUTH)
<\/span><\/span>    syslog.<\/span>syslog("MultiFactors Authentication: "<\/span> +<\/span> msg)
<\/span><\/span>    syslog.<\/span>closelog()
<\/span><\/span>
<\/span><\/span>def<\/span> get_hash<\/span>(plain_text):
<\/span><\/span>    """获取短信验证码的sha512字符串"""<\/span>
<\/span><\/span>    key_hash =<\/span> hashlib.<\/span>sha512()
<\/span><\/span>    key_hash.<\/span>update(plain_text)
<\/span><\/span>    return<\/span> key_hash.<\/span>digest()
<\/span><\/span>
<\/span><\/span>def<\/span> get_user_number<\/span>(user):
<\/span><\/span>    """获取用户手机号码"""<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        comments =<\/span> pwd.<\/span>getpwnam(user).<\/span>pw_gecos
<\/span><\/span>    except<\/span>:
<\/span><\/span>        auth_log("No local user (<\/span>%s<\/span>) found."<\/span> %<\/span> user)
<\/span><\/span>        return<\/span> -<\/span>1<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span>:
<\/span><\/span>        return<\/span> comments.<\/span>split(','<\/span>)[2<\/span>]  # 返回用户手机号<\/span>
<\/span><\/span>    except<\/span>:
<\/span><\/span>        auth_log("Invalid comment block for user <\/span>%s<\/span>. Phone number must be listed as Office Phone"<\/span> %<\/span> (user))
<\/span><\/span>        return<\/span> -<\/span>1<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> gen_key<\/span>(pamh, user, user_number, length):
<\/span><\/span>    """生成短信验证码并发送到用户手机"""<\/span>
<\/span><\/span>    pin =<\/span> ''<\/span>.<\/span>join(random.<\/span>choice(string.<\/span>digits) for<\/span> i in<\/span> range(length))
<\/span><\/span>    msg =<\/span> pamh.<\/span>Message(pamh.<\/span>PAM_ERROR_MSG, "The pin is: (<\/span>%s<\/span>)"<\/span> %<\/span> (pin))  # 登陆界面输出验证码，测试目的，实际使用中注释掉即可<\/span>
<\/span><\/span>    pamh.<\/span>conversation(msg)
<\/span><\/span>    
<\/span><\/span>    sms =<\/span> SMSOperation(pin, user_number)
<\/span><\/span>    try<\/span>:
<\/span><\/span>        sms.<\/span>send_text(pamh)
<\/span><\/span>    except<\/span>:
<\/span><\/span>        if<\/span> not<\/span> user_number:
<\/span><\/span>            auth_log("No phone number listed for user (<\/span>%s<\/span>)."<\/span> %<\/span> (user))
<\/span><\/span>        else<\/span>:
<\/span><\/span>            auth_log("Error sending PIN to the given SMS number. (<\/span>%s<\/span>)"<\/span> %<\/span> (user_number))
<\/span><\/span>        return<\/span> -<\/span>1<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> get_hash(pin)
<\/span><\/span>
<\/span><\/span>def<\/span> pam_sm_authenticate<\/span>(pamh, flags, argv):
<\/span><\/span>    PIN_LENGTH =<\/span> 6<\/span>  # 短信验证码长度<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        user =<\/span> pamh.<\/span>get_user()
<\/span><\/span>        user_number =<\/span> get_user_number(user)
<\/span><\/span>    except<\/span> pamh.<\/span>exception, e:
<\/span><\/span>        return<\/span> e.<\/span>pam_result
<\/span><\/span>    
<\/span><\/span>    if<\/span> user is<\/span> None<\/span> or<\/span> user_number ==<\/span> -<\/span>1<\/span>:
<\/span><\/span>        msg =<\/span> pamh.<\/span>Message(pamh.<\/span>PAM_ERROR_MSG, "[1]Unable to get user's phone number.<\/span>\n<\/span>Please check."<\/span>)
<\/span><\/span>        pamh.<\/span>conversation(msg)
<\/span><\/span>        return<\/span> pamh.<\/span>PAM_ABORT
<\/span><\/span>    
<\/span><\/span>    pin =<\/span> gen_key(pamh, user, user_number, PIN_LENGTH)
<\/span><\/span>    if<\/span> pin ==<\/span> -<\/span>1<\/span>:
<\/span><\/span>        msg =<\/span> pamh.<\/span>Message(pamh.<\/span>PAM_ERROR_MSG, "[2]One time PIN could not be generated.<\/span>\n<\/span>Please check (<\/span>%s<\/span>)"<\/span> %<\/span> (user_number))
<\/span><\/span>        pamh.<\/span>conversation(msg)
<\/span><\/span>        return<\/span> pamh.<\/span>PAM_ABORT
<\/span><\/span>    
<\/span><\/span>    for<\/span> attempt in<\/span> range(0<\/span>, 3<\/span>):  # 仅允许三次错误尝试<\/span>
<\/span><\/span>        msg =<\/span> pamh.<\/span>Message(pamh.<\/span>PAM_PROMPT_ECHO_OFF, "Enter one time PIN:"<\/span>)
<\/span><\/span>        resp =<\/span> pamh.<\/span>conversation(msg)
<\/span><\/span>        
<\/span><\/span>        if<\/span> get_hash(resp.<\/span>resp) ==<\/span> pin:  # 用户输入与生成的验证码进行校验<\/span>
<\/span><\/span>            return<\/span> pamh.<\/span>PAM_SUCCESS
<\/span><\/span>        else<\/span>:
<\/span><\/span>            continue<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> pamh.<\/span>PAM_AUTH_ERR
<\/span><\/span>
<\/span><\/span>def<\/span> pam_sm_setcred<\/span>(pamh, flags, argv):
<\/span><\/span>    return<\/span> pamh.<\/span>PAM_SUCCESS
<\/span><\/span>
<\/span><\/span>def<\/span> pam_sm_acct_mgmt<\/span>(pamh, flags, argv):
<\/span><\/span>    return<\/span> pamh.<\/span>PAM_SUCCESS
<\/span><\/span>
<\/span><\/span>def<\/span> pam_sm_open_session<\/span>(pamh, flags, argv):
<\/span><\/span>    return<\/span> pamh.<\/span>PAM_SUCCESS
<\/span><\/span>
<\/span><\/span>def<\/span> pam_sm_close_session<\/span>(pamh, flags, argv):
<\/span><\/span>    return<\/span> pamh.<\/span>PAM_SUCCESS
<\/span><\/span>
<\/span><\/span>def<\/span> pam_sm_chauthtok<\/span>(pamh, flags, argv):
<\/span><\/span>    return<\/span> pamh.<\/span>PAM_SUCCESS
<\/span><\/span><\/code><\/pre>2. 关键功能说明<\/h3>


短信发送类(SMSOperation)<\/strong>：<\/p>

初始化短信服务参数<\/li>
处理手机号码<\/li>
发送短信验证码<\/li>
<\/ul>
<\/li>

辅助函数<\/strong>：<\/p>

auth_log()<\/code>: 记录认证日志到\/var\/log\/messages<\/li>
get_hash()<\/code>: 使用SHA512哈希算法处理验证码<\/li>
get_user_number()<\/code>: 从\/etc\/passwd获取用户手机号<\/li>
gen_key()<\/code>: 生成随机验证码并发送<\/li>
<\/ul>
<\/li>

PAM接口函数<\/strong>：<\/p>

pam_sm_authenticate()<\/code>: 主认证函数，处理整个认证流程<\/li>
其他PAM标准接口函数保持默认成功返回<\/li>
<\/ul>
<\/li>
<\/ol>
3. 配置SSH使用PAM模块<\/h3>

修改PAM配置：<\/li>
<\/ol>
vi \/etc\/pam.d\/sshd
<\/span><\/span><\/code><\/pre>添加：<\/p>
auth requisite pam_python.so Multiauth.py
<\/code><\/pre>

启用ChallengeResponseAuthentication：<\/li>
<\/ol>
vi \/etc\/ssh\/sshd_config
<\/span><\/span><\/code><\/pre>确保有：<\/p>
ChallengeResponseAuthentication yes
<\/code><\/pre>

重启SSH服务：<\/li>
<\/ol>
systemctl restart sshd.service
<\/span><\/span><\/code><\/pre>五、用户手机号配置<\/h2>
将用户手机号存储在\/etc\/passwd文件的GECOS字段中，格式为：<\/p>
用户名:x:UID:GID:全名,办公室,手机号,其他信息
<\/code><\/pre>
例如：<\/p>
gary:x:1001:1001:Gary Smith,,13800138000,:\/home\/gary:\/bin\/bash
<\/code><\/pre>
六、日志查看<\/h2>

错误日志：\/var\/log\/secure<\/li>
运行日志：\/var\/log\/messages<\/li>
<\/ul>
七、安全增强建议<\/h2>


短信接口防护<\/strong>：<\/p>

实现发送频率限制<\/li>
添加IP白名单<\/li>
使用HTTPS协议<\/li>
<\/ul>
<\/li>

验证码增强<\/strong>：<\/p>

增加验证码有效期检查<\/li>
实现验证码使用后立即失效<\/li>
<\/ul>
<\/li>

用户管理<\/strong>：<\/p>

提供备用认证方式<\/li>
实现手机号变更流程<\/li>
<\/ul>
<\/li>

审计日志<\/strong>：<\/p>

记录完整的认证过程<\/li>
实现异常登录告警<\/li>
<\/ul>
<\/li>
<\/ol>
八、测试与验证<\/h2>

使用SSH客户端连接服务器<\/li>
系统应提示输入验证码<\/li>
检查手机是否收到短信<\/li>
输入正确验证码应能成功登录<\/li>
错误输入应限制为3次尝试<\/li>
<\/ol>
九、故障排除<\/h2>


PAM模块加载失败<\/strong>：<\/p>

检查pam_python.so路径<\/li>
验证文件权限<\/li>
<\/ul>
<\/li>

短信发送失败<\/strong>：<\/p>

检查短信接口配置<\/li>
验证账户余额和权限<\/li>
<\/ul>
<\/li>

用户手机号获取失败<\/strong>：<\/p>

检查\/etc\/passwd格式<\/li>
确认GECOS字段包含手机号<\/li>
<\/ul>
<\/li>

SSH连接无响应<\/strong>：<\/p>

确认ChallengeResponseAuthentication已启用<\/li>
检查PAM配置顺序<\/li>
<\/ul>
<\/li>
<\/ol>
通过以上步骤，您可以为SSH登录实现一个经济高效的短信双因素认证系统。<\/p>