summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-10-16 16:28:15 +0200
committerChristian Poessinger <christian@poessinger.com>2022-10-16 16:40:25 +0200
commit3978dd30e50ac94a8728e0b1f4e691e7a93a1d2f (patch)
tree35e0244fbbfe4c7f3f610099dbbcc846471eef36
parent813236e6ca265f15fe81b09a0a61feb3a3d0193b (diff)
downloadvyos-1x-3978dd30e50ac94a8728e0b1f4e691e7a93a1d2f.tar.gz
vyos-1x-3978dd30e50ac94a8728e0b1f4e691e7a93a1d2f.zip
login: 2fa: T874: fix PAM string generation on multiple package installations
Commit da535ef5 ("login: 2fa: T874: fix Google authenticator issues") used different strings for grep and sed resulting in the same line beeing added on every installation of the package. This is only disturbing during development not during ISO build.
-rw-r--r--debian/vyos-1x.postinst14
1 files changed, 7 insertions, 7 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 031e91595..959e1d486 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -21,13 +21,13 @@ if ! grep -q '^openvpn' /etc/passwd; then
adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
fi
-# Add 2FA support for SSH
-sudo grep -qF -- "auth required pam_google_authenticator.so nullok" "/etc/pam.d/sshd" || \
-sudo sed -i '/^@include common-auth/a # Check OTP 2FA, if configured for the user\nauth required pam_google_authenticator.so nullok' /etc/pam.d/sshd
-
-# Add 2FA support for local authentication
-sudo grep -qF -- "auth required pam_google_authenticator.so nullok" "/etc/pam.d/login" || \
-sudo sed -i '/^@include common-auth/a # Check OTP 2FA, if configured for the user\nauth required pam_google_authenticator.so nullok' /etc/pam.d/login
+# Enable 2FA/MFA support for SSH and local logins
+for file in /etc/pam.d/sshd /etc/pam.d/login
+do
+ PAM_CONFIG="auth required pam_google_authenticator.so nullok"
+ grep -qF -- "$PAM_CONFIG" $file || \
+ sed -i '/^@include common-auth/a \\n# Check 2FA/MFA authentication token if enabled (per user)\n$PAM_CONFIG' $file
+done
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then