Merge pull request #1851 from zdc/T4943-sagitta

login: T4943: Fixed 2FA + RADIUS compatibility

2 files changed, 5 insertions, 5 deletions

diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 93735020c..422969ed8 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -29,7 +29,7 @@ PermitRootLogin no
 PidFile /run/sshd/sshd.pid
 AddressFamily any
 DebianBanner no
-PasswordAuthentication no
+KbdInteractiveAuthentication no
 
 #
 # User configurable section
@@ -48,7 +48,7 @@ Port {{ value }}
 LogLevel {{ loglevel | upper }}
 
 # Specifies whether password authentication is allowed
-ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
+PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
 
 {% if listen_address is vyos_defined %}
 # Specifies the local addresses sshd should listen on
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index d5f5cbbc7..b2f6a7399 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -24,9 +24,9 @@ fi
 # Enable 2FA/MFA support for SSH and local logins
 for file in /etc/pam.d/sshd /etc/pam.d/login
 do
-    PAM_CONFIG="auth       required     pam_google_authenticator.so nullok"
-    grep -qF -- "${PAM_CONFIG}" $file || \
-    sed -i "/^@include common-auth/a # Check 2FA/MFA authentication token if enabled (per user)\n${PAM_CONFIG}" $file
+    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
+    grep -qF -- "pam_google_authenticator.so" $file || \
+    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
 done
 
 # Add RADIUS operator user for RADIUS authenticated users to map to