diff options
| -rw-r--r-- | debian/vyos-1x.postinst | 8 | ||||
| -rwxr-xr-x | op-mode-definitions/generate-system-login-user.xml.in | 2 | ||||
| -rwxr-xr-x | src/conf_mode/system-login.py | 7 | ||||
| -rwxr-xr-x | src/init/vyos-router | 2 | ||||
| -rw-r--r-- | src/pam-configs/mfa-google-authenticator | 8 |
5 files changed, 18 insertions, 9 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 64c60a780..cd88cf60c 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -21,14 +21,6 @@ if ! grep -q '^openvpn' /etc/passwd; then adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn fi -# Enable 2FA/MFA support for SSH and local logins -for file in /etc/pam.d/sshd /etc/pam.d/login -do - PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n" - grep -qF -- "pam_google_authenticator.so" $file || \ - sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file -done - # We need to have a group for RADIUS service users to use it inside PAM rules if ! grep -q '^radius' /etc/group; then addgroup --firstgid 1000 --quiet radius diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in index 237a13610..868bbcd46 100755 --- a/op-mode-definitions/generate-system-login-user.xml.in +++ b/op-mode-definitions/generate-system-login-user.xml.in @@ -16,7 +16,7 @@ <properties>
<help>Username used for authentication</help>
<completionHelp>
- <list><username></list>
+ <path>system login user</path>
</completionHelp>
</properties>
<children>
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 87a269499..cd85a5066 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -306,6 +306,7 @@ def generate(login): def apply(login): + enable_otp = False if 'user' in login: for user, user_config in login['user'].items(): # make new user using vyatta shell and make home directory (-m), @@ -350,6 +351,7 @@ def apply(login): # Generate 2FA/MFA One-Time-Pad configuration if dict_search('authentication.otp.key', user_config): + enable_otp = True render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2', user_config, permission=0o400, user=user, group='users') else: @@ -398,6 +400,11 @@ def apply(login): pam_profile = 'tacplus-optional' cmd(f'pam-auth-update --enable {pam_profile}') + # Enable/disable Google authenticator + cmd('pam-auth-update --disable mfa-google-authenticator') + if enable_otp: + cmd(f'pam-auth-update --enable mfa-google-authenticator') + return None diff --git a/src/init/vyos-router b/src/init/vyos-router index 35095afe4..711681a8e 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -260,6 +260,8 @@ EOF rm -f /etc/pam_radius_auth.conf pam-auth-update --disable tacplus-mandatory tacplus-optional rm -f /etc/tacplus_nss.conf /etc/tacplus_servers + # and no Google authenticator for 2FA/MFA + pam-auth-update --disable mfa-google-authenticator # Certain configuration files are re-generated by the configuration # subsystem and must reside under /etc and can not easily be moved to /run. diff --git a/src/pam-configs/mfa-google-authenticator b/src/pam-configs/mfa-google-authenticator new file mode 100644 index 000000000..9e49e5ef9 --- /dev/null +++ b/src/pam-configs/mfa-google-authenticator @@ -0,0 +1,8 @@ +Name: Google Authenticator PAM module (2FA/MFA) +Default: no +Priority: 384 + +Auth-Type: Primary +Auth: + [default=ignore success=ok auth_err=die] pam_google_authenticator.so nullok forward_pass + |