summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-02-24 21:59:59 +0100
committerGitHub <noreply@github.com>2023-02-24 21:59:59 +0100
commitc0b5b3d52d462daeb082bc55dd91788f9b94b84e (patch)
treef975a4eda33654f1e60661ae27baa84060c87267
parent73ceaaafa9e7f14c25ccafe0789ba89933ab7b14 (diff)
parent32a4415191ca725be9b3ca4c5f664123a0e767eb (diff)
downloadvyos-1x-c0b5b3d52d462daeb082bc55dd91788f9b94b84e.tar.gz
vyos-1x-c0b5b3d52d462daeb082bc55dd91788f9b94b84e.zip
Merge pull request #1851 from zdc/T4943-sagitta
login: T4943: Fixed 2FA + RADIUS compatibility
-rw-r--r--data/templates/ssh/sshd_config.j24
-rw-r--r--debian/vyos-1x.postinst6
2 files changed, 5 insertions, 5 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 93735020c..422969ed8 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -29,7 +29,7 @@ PermitRootLogin no
PidFile /run/sshd/sshd.pid
AddressFamily any
DebianBanner no
-PasswordAuthentication no
+KbdInteractiveAuthentication no
#
# User configurable section
@@ -48,7 +48,7 @@ Port {{ value }}
LogLevel {{ loglevel | upper }}
# Specifies whether password authentication is allowed
-ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
+PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
{% if listen_address is vyos_defined %}
# Specifies the local addresses sshd should listen on
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index d5f5cbbc7..b2f6a7399 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -24,9 +24,9 @@ fi
# Enable 2FA/MFA support for SSH and local logins
for file in /etc/pam.d/sshd /etc/pam.d/login
do
- PAM_CONFIG="auth required pam_google_authenticator.so nullok"
- grep -qF -- "${PAM_CONFIG}" $file || \
- sed -i "/^@include common-auth/a # Check 2FA/MFA authentication token if enabled (per user)\n${PAM_CONFIG}" $file
+ PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n"
+ grep -qF -- "pam_google_authenticator.so" $file || \
+ sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done
# Add RADIUS operator user for RADIUS authenticated users to map to