diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-12-07 21:30:57 +0100 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2023-12-08 17:06:26 +0000 |
| commit | 14b107442ebf1f4f44bad485c585d4b9cfd97384 (patch) | |
| tree | bc6650c325c1eee90ee5f47bf7101818a8531b28 /src/pam-configs | |
| parent | 7f081cadd0855ebc1104919329c11c98de1445f1 (diff) | |
| download | vyos-1x-14b107442ebf1f4f44bad485c585d4b9cfd97384.tar.gz vyos-1x-14b107442ebf1f4f44bad485c585d4b9cfd97384.zip | |
login: T4943: use pam-auth-update to enable/disable Google authenticator
The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.
This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.
Can be tested using:
set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'
See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
(cherry picked from commit e134dc4171b051d0f98c7151ef32a347bc4f87e2)
Diffstat (limited to 'src/pam-configs')
| -rw-r--r-- | src/pam-configs/mfa-google-authenticator | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/pam-configs/mfa-google-authenticator b/src/pam-configs/mfa-google-authenticator new file mode 100644 index 000000000..9e49e5ef9 --- /dev/null +++ b/src/pam-configs/mfa-google-authenticator @@ -0,0 +1,8 @@ +Name: Google Authenticator PAM module (2FA/MFA) +Default: no +Priority: 384 + +Auth-Type: Primary +Auth: + [default=ignore success=ok auth_err=die] pam_google_authenticator.so nullok forward_pass + |