summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorzsdc <taras@vyos.io>2023-02-24 20:07:18 +0200
committerzsdc <taras@vyos.io>2023-02-24 20:07:18 +0200
commit32a4415191ca725be9b3ca4c5f664123a0e767eb (patch)
tree4732e70a3d775711d7aba0f10123e04a81624a1d /data
parenteaea1789f88082dae5b6cd12cc98bfc48221f35d (diff)
downloadvyos-1x-32a4415191ca725be9b3ca4c5f664123a0e767eb.tar.gz
vyos-1x-32a4415191ca725be9b3ca4c5f664123a0e767eb.zip
login: T4943: Fixed 2FA + RADIUS compatibility
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ```
Diffstat (limited to 'data')
-rw-r--r--data/templates/ssh/sshd_config.j24
1 files changed, 2 insertions, 2 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 93735020c..422969ed8 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -29,7 +29,7 @@ PermitRootLogin no
PidFile /run/sshd/sshd.pid
AddressFamily any
DebianBanner no
-PasswordAuthentication no
+KbdInteractiveAuthentication no
#
# User configurable section
@@ -48,7 +48,7 @@ Port {{ value }}
LogLevel {{ loglevel | upper }}
# Specifies whether password authentication is allowed
-ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
+PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}
{% if listen_address is vyos_defined %}
# Specifies the local addresses sshd should listen on