summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
authorgoodNETnick <pknet@ya.ru>2022-09-22 02:03:04 -0400
committergoodNETnick <pknet@ya.ru>2022-10-11 19:56:45 -0400
commit765f84386b6e94984ff79db2eab36d51f759159b (patch)
treece2ce9dca40ddda4ca4639b89308f317e67e59d1 /data/templates
parent31138f43f4a5714077adbbd22ff774b2d4ce37f8 (diff)
downloadvyos-1x-765f84386b6e94984ff79db2eab36d51f759159b.tar.gz
vyos-1x-765f84386b6e94984ff79db2eab36d51f759159b.zip
system login: T874: add 2FA support for local and ssh authentication
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/login/pam_otp_ga.conf.j27
-rw-r--r--data/templates/ssh/sshd_config.j24
2 files changed, 9 insertions, 2 deletions
diff --git a/data/templates/login/pam_otp_ga.conf.j2 b/data/templates/login/pam_otp_ga.conf.j2
new file mode 100644
index 000000000..4c1f411d1
--- /dev/null
+++ b/data/templates/login/pam_otp_ga.conf.j2
@@ -0,0 +1,7 @@
+{% if authentication.otp.key is vyos_defined %}
+{{ authentication.otp.key }}
+" RATE_LIMIT {{ authentication.otp.rate_limit }} {{ authentication.otp.rate_time }}
+" WINDOW_SIZE {{ authentication.otp.window_size }}
+" DISALLOW_REUSE
+" TOTP_AUTH
+{% endif %}
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index e7dbca581..93c6735dd 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -17,7 +17,6 @@ PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
-ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
@@ -30,6 +29,7 @@ PermitRootLogin no
PidFile /run/sshd/sshd.pid
AddressFamily any
DebianBanner no
+PasswordAuthentication no
#
# User configurable section
@@ -48,7 +48,7 @@ Port {{ value }}
LogLevel {{ loglevel | upper }}
# Specifies whether password authentication is allowed
-PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
+ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
{% if listen_address is vyos_defined %}
# Specifies the local addresses sshd should listen on