From 32a4415191ca725be9b3ca4c5f664123a0e767eb Mon Sep 17 00:00:00 2001 From: zsdc Date: Fri, 24 Feb 2023 20:07:18 +0200 Subject: login: T4943: Fixed 2FA + RADIUS compatibility MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: Password: Verification code: ``` Now: ``` vyos login: Password & verification code: ``` --- debian/vyos-1x.postinst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index d5f5cbbc7..b2f6a7399 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -24,9 +24,9 @@ fi # Enable 2FA/MFA support for SSH and local logins for file in /etc/pam.d/sshd /etc/pam.d/login do - PAM_CONFIG="auth required pam_google_authenticator.so nullok" - grep -qF -- "${PAM_CONFIG}" $file || \ - sed -i "/^@include common-auth/a # Check 2FA/MFA authentication token if enabled (per user)\n${PAM_CONFIG}" $file + PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n" + grep -qF -- "pam_google_authenticator.so" $file || \ + sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file done # Add RADIUS operator user for RADIUS authenticated users to map to -- cgit v1.2.3