diff options
author | zsdc <taras@vyos.io> | 2023-02-24 20:07:18 +0200 |
---|---|---|
committer | zsdc <taras@vyos.io> | 2023-02-24 20:07:18 +0200 |
commit | 32a4415191ca725be9b3ca4c5f664123a0e767eb (patch) | |
tree | 4732e70a3d775711d7aba0f10123e04a81624a1d /data | |
parent | eaea1789f88082dae5b6cd12cc98bfc48221f35d (diff) | |
download | vyos-1x-32a4415191ca725be9b3ca4c5f664123a0e767eb.tar.gz vyos-1x-32a4415191ca725be9b3ca4c5f664123a0e767eb.zip |
login: T4943: Fixed 2FA + RADIUS compatibility
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/ssh/sshd_config.j2 | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 93735020c..422969ed8 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -29,7 +29,7 @@ PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no -PasswordAuthentication no +KbdInteractiveAuthentication no # # User configurable section @@ -48,7 +48,7 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on |