login: T4943: use pam-auth-update to enable/disable Google authenticator

The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.

This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.

Can be tested using:

set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'

See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.

5 files changed, 18 insertions, 9 deletions

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 64c60a780..cd88cf60c 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -21,14 +21,6 @@ if ! grep -q '^openvpn' /etc/passwd; then
     adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
 fi
 
-# Enable 2FA/MFA support for SSH and local logins
-for file in /etc/pam.d/sshd /etc/pam.d/login
-do
-    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
-    grep -qF -- "pam_google_authenticator.so" $file || \
-    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
-done
-
 # We need to have a group for RADIUS service users to use it inside PAM rules
 if ! grep -q '^radius' /etc/group; then
     addgroup --firstgid 1000 --quiet radius
diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in
index 237a13610..868bbcd46 100755
--- a/op-mode-definitions/generate-system-login-user.xml.in
+++ b/op-mode-definitions/generate-system-login-user.xml.in
@@ -16,7 +16,7 @@
                 <properties>

                   <help>Username used for authentication</help>

                   <completionHelp>

-                    <list>&lt;username&gt;</list>

+                    <path>system login user</path>

                   </completionHelp>

                 </properties>

                 <children>

diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 87a269499..cd85a5066 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -306,6 +306,7 @@ def generate(login):
 
 
 def apply(login):
+    enable_otp = False
     if 'user' in login:
         for user, user_config in login['user'].items():
             # make new user using vyatta shell and make home directory (-m),
@@ -350,6 +351,7 @@ def apply(login):
 
             # Generate 2FA/MFA One-Time-Pad configuration
             if dict_search('authentication.otp.key', user_config):
+                enable_otp = True
                 render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
                        user_config, permission=0o400, user=user, group='users')
             else:
@@ -398,6 +400,11 @@ def apply(login):
             pam_profile = 'tacplus-optional'
         cmd(f'pam-auth-update --enable {pam_profile}')
 
+    # Enable/disable Google authenticator
+    cmd('pam-auth-update --disable mfa-google-authenticator')
+    if enable_otp:
+        cmd(f'pam-auth-update --enable mfa-google-authenticator')
+
     return None
 
 
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 35095afe4..711681a8e 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -260,6 +260,8 @@ EOF
     rm -f /etc/pam_radius_auth.conf
     pam-auth-update --disable tacplus-mandatory tacplus-optional
     rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
+    # and no Google authenticator for 2FA/MFA
+    pam-auth-update --disable mfa-google-authenticator
 
     # Certain configuration files are re-generated by the configuration
     # subsystem and must reside under /etc and can not easily be moved to /run.
diff --git a/src/pam-configs/mfa-google-authenticator b/src/pam-configs/mfa-google-authenticator
new file mode 100644
index 000000000..9e49e5ef9
--- /dev/null
+++ b/src/pam-configs/mfa-google-authenticator
@@ -0,0 +1,8 @@
+Name: Google Authenticator PAM module (2FA/MFA)
+Default: no
+Priority: 384
+
+Auth-Type: Primary
+Auth:
+    [default=ignore success=ok auth_err=die] pam_google_authenticator.so nullok forward_pass
+