SSH TFA blockt Console

Gorgon

New Member
Nov 16, 2016
8
2
3
30
Hallo zusammen,

ich habe folgendes Problem:
Ich nutze eine TFA mit OTPs sowohl in der Webgui als auch für SSH.

Mir ist dann aufgefallen, dass der Zugriff auf die VM Console nicht mehr funktioniert, wenn diese auf einem anderen Server liegt. Heißt ich bin auf Server 1 angemeldet und möchte auf die Console einer VM auf Server 2 zugreifen.

Die Fehlermeldung ist:
TASK ERROR: command '/bin/nc6 -l -p 5901 -w 10 -e '/usr/bin/ssh -T -o BatchMode=yes X.X.X.X /usr/sbin/qm vncproxy 103 2>/dev/null'' failed: exit code 1

Daraufhin habe ich meine PAM Konfiguration angepasst, damit für den IP Kreis der Proxmox Server die TFA Abfrage übersprungen wird. Das funktioniert auch, bin ich auf Server 1 eingeloggt (via ssh) kann ich mich auf den Sever 2 verbinden, ohne eine TFA Abfrage bestätigen zu müssen, ergo der Ursprungszustand.

Jedoch funktioniert der Zugriff auf die Konsole immer noch nicht. Die Fehlermeldung bleibt die gleiche wie oben. Im folgenden meine Configs:

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
#@include common-auth

#Skip OTP for Proxmox internal Communication
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-proxmox.conf
auth optional pam_google_authenticator.so nullok

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# Set the loginuid process attribute.
session required pam_loginuid.so

# Create a new session keyring.
session optional pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

# Standard Un*x password updating.
@include common-password

#only allow from Proxmox IP range
+ : ALL : X.X.X.0/24
- : ALL : ALL

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

AuthenticationMethods publickey,keyboard-interactive

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Was habe ich übersehen?

Danke schonmal im Vorraus!

Grüße
Dennis
 
funktioniert "/usr/bin/ssh -T -o BatchMode=yes X.X.X.X /usr/sbin/qm vncproxy 103" ?
 
funktioniert "/usr/bin/ssh -T -o BatchMode=yes X.X.X.X /usr/sbin/qm vncproxy 103" ?
Leider hat dies nicht funktioniert. Ich bekomme folgende Fehlermeldung:

root@SRV-PROX-01:~# /usr/bin/ssh -T -o BatchMode=yes X.X.X.X /usr/sbin/qm vncproxy 103
Authenticated with partial success.
Permission denied (keyboard-interactive).


Das sollte durch die Anpassung an der /etc/pam.d/sshd mit /etc/security/access-proxmox.conf behoben werden. Dies funktioniert wie gesagt auch bei "ssh root@X.X.X.X". Ich verstehe nur gerade nicht, wieso das in diesem Fall nicht greift.

Edit:
Ich habe mit dem Befehl ein wenig rumgespielt. Wenn ich den Zusatz: "-o BatchMode=yes" weglasse, dann funktioniert der Zugriff:

root@SRV-PROX-01:~# /usr/bin/ssh -T X.X.X.X /usr/sbin/qm vncproxy 103
Authenticated with partial success.
RFB 003.008

Aber das kann ja nicht die Lösung sein.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!