summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-12-08 18:05:38 +0100
committerGitHub <noreply@github.com>2023-12-08 18:05:38 +0100
commit030abbf48fd1399a30ed668f02e4ab02dbff0706 (patch)
tree17e2f4923cae5459d323702088011a6112356505 /src
parent9c8a7a987fcb99adaa9ba8d423640441e8725ecf (diff)
parente134dc4171b051d0f98c7151ef32a347bc4f87e2 (diff)
downloadvyos-1x-030abbf48fd1399a30ed668f02e4ab02dbff0706.tar.gz
vyos-1x-030abbf48fd1399a30ed668f02e4ab02dbff0706.zip
Merge pull request #2584 from c-po/T4943-google-authenticator
login: T4943: use pam-auth-update to enable/disable Google authenticator
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/system-login.py7
-rwxr-xr-xsrc/init/vyos-router2
-rw-r--r--src/pam-configs/mfa-google-authenticator8
3 files changed, 17 insertions, 0 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 87a269499..cd85a5066 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -306,6 +306,7 @@ def generate(login):
def apply(login):
+ enable_otp = False
if 'user' in login:
for user, user_config in login['user'].items():
# make new user using vyatta shell and make home directory (-m),
@@ -350,6 +351,7 @@ def apply(login):
# Generate 2FA/MFA One-Time-Pad configuration
if dict_search('authentication.otp.key', user_config):
+ enable_otp = True
render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
user_config, permission=0o400, user=user, group='users')
else:
@@ -398,6 +400,11 @@ def apply(login):
pam_profile = 'tacplus-optional'
cmd(f'pam-auth-update --enable {pam_profile}')
+ # Enable/disable Google authenticator
+ cmd('pam-auth-update --disable mfa-google-authenticator')
+ if enable_otp:
+ cmd(f'pam-auth-update --enable mfa-google-authenticator')
+
return None
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 35095afe4..711681a8e 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -260,6 +260,8 @@ EOF
rm -f /etc/pam_radius_auth.conf
pam-auth-update --disable tacplus-mandatory tacplus-optional
rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
+ # and no Google authenticator for 2FA/MFA
+ pam-auth-update --disable mfa-google-authenticator
# Certain configuration files are re-generated by the configuration
# subsystem and must reside under /etc and can not easily be moved to /run.
diff --git a/src/pam-configs/mfa-google-authenticator b/src/pam-configs/mfa-google-authenticator
new file mode 100644
index 000000000..9e49e5ef9
--- /dev/null
+++ b/src/pam-configs/mfa-google-authenticator
@@ -0,0 +1,8 @@
+Name: Google Authenticator PAM module (2FA/MFA)
+Default: no
+Priority: 384
+
+Auth-Type: Primary
+Auth:
+ [default=ignore success=ok auth_err=die] pam_google_authenticator.so nullok forward_pass
+