From 32a4415191ca725be9b3ca4c5f664123a0e767eb Mon Sep 17 00:00:00 2001 From: zsdc Date: Fri, 24 Feb 2023 20:07:18 +0200 Subject: login: T4943: Fixed 2FA + RADIUS compatibility MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: Password: Verification code: ``` Now: ``` vyos login: Password & verification code: ``` --- data/templates/ssh/sshd_config.j2 | 4 ++-- debian/vyos-1x.postinst | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 93735020c..422969ed8 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -29,7 +29,7 @@ PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no -PasswordAuthentication no +KbdInteractiveAuthentication no # # User configurable section @@ -48,7 +48,7 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index d5f5cbbc7..b2f6a7399 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -24,9 +24,9 @@ fi # Enable 2FA/MFA support for SSH and local logins for file in /etc/pam.d/sshd /etc/pam.d/login do - PAM_CONFIG="auth required pam_google_authenticator.so nullok" - grep -qF -- "${PAM_CONFIG}" $file || \ - sed -i "/^@include common-auth/a # Check 2FA/MFA authentication token if enabled (per user)\n${PAM_CONFIG}" $file + PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n" + grep -qF -- "pam_google_authenticator.so" $file || \ + sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file done # Add RADIUS operator user for RADIUS authenticated users to map to -- cgit v1.2.3