Merge pull request #2584 from c-po/T4943-google-authenticator

login: T4943: use pam-auth-update to enable/disable Google authenticator

1 files changed, 7 insertions, 0 deletions

diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 87a269499..cd85a5066 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -306,6 +306,7 @@ def generate(login):
 
 
 def apply(login):
+    enable_otp = False
     if 'user' in login:
         for user, user_config in login['user'].items():
             # make new user using vyatta shell and make home directory (-m),
@@ -350,6 +351,7 @@ def apply(login):
 
             # Generate 2FA/MFA One-Time-Pad configuration
             if dict_search('authentication.otp.key', user_config):
+                enable_otp = True
                 render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
                        user_config, permission=0o400, user=user, group='users')
             else:
@@ -398,6 +400,11 @@ def apply(login):
             pam_profile = 'tacplus-optional'
         cmd(f'pam-auth-update --enable {pam_profile}')
 
+    # Enable/disable Google authenticator
+    cmd('pam-auth-update --disable mfa-google-authenticator')
+    if enable_otp:
+        cmd(f'pam-auth-update --enable mfa-google-authenticator')
+
     return None