diff options
author | goodNETnick <pknet@ya.ru> | 2022-09-22 02:03:04 -0400 |
---|---|---|
committer | goodNETnick <pknet@ya.ru> | 2022-10-11 19:56:45 -0400 |
commit | 765f84386b6e94984ff79db2eab36d51f759159b (patch) | |
tree | ce2ce9dca40ddda4ca4639b89308f317e67e59d1 /data | |
parent | 31138f43f4a5714077adbbd22ff774b2d4ce37f8 (diff) | |
download | vyos-1x-765f84386b6e94984ff79db2eab36d51f759159b.tar.gz vyos-1x-765f84386b6e94984ff79db2eab36d51f759159b.zip |
system login: T874: add 2FA support for local and ssh authentication
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/login/pam_otp_ga.conf.j2 | 7 | ||||
-rw-r--r-- | data/templates/ssh/sshd_config.j2 | 4 |
2 files changed, 9 insertions, 2 deletions
diff --git a/data/templates/login/pam_otp_ga.conf.j2 b/data/templates/login/pam_otp_ga.conf.j2 new file mode 100644 index 000000000..4c1f411d1 --- /dev/null +++ b/data/templates/login/pam_otp_ga.conf.j2 @@ -0,0 +1,7 @@ +{% if authentication.otp.key is vyos_defined %} +{{ authentication.otp.key }} +" RATE_LIMIT {{ authentication.otp.rate_limit }} {{ authentication.otp.rate_time }} +" WINDOW_SIZE {{ authentication.otp.window_size }} +" DISALLOW_REUSE +" TOTP_AUTH +{% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index e7dbca581..93c6735dd 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -17,7 +17,6 @@ PubkeyAuthentication yes IgnoreRhosts yes HostbasedAuthentication no PermitEmptyPasswords no -ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no @@ -30,6 +29,7 @@ PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no +PasswordAuthentication no # # User configurable section @@ -48,7 +48,7 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} +ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on |