From 32a4415191ca725be9b3ca4c5f664123a0e767eb Mon Sep 17 00:00:00 2001 From: zsdc Date: Fri, 24 Feb 2023 20:07:18 +0200 Subject: login: T4943: Fixed 2FA + RADIUS compatibility MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: Password: Verification code: ``` Now: ``` vyos login: Password & verification code: ``` --- data/templates/ssh/sshd_config.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'data/templates/ssh/sshd_config.j2') diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 93735020c..422969ed8 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -29,7 +29,7 @@ PermitRootLogin no PidFile /run/sshd/sshd.pid AddressFamily any DebianBanner no -PasswordAuthentication no +KbdInteractiveAuthentication no # # User configurable section @@ -48,7 +48,7 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -ChallengeResponseAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} {% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on -- cgit v1.2.3