From e134dc4171b051d0f98c7151ef32a347bc4f87e2 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Thu, 7 Dec 2023 21:30:57 +0100
Subject: login: T4943: use pam-auth-update to enable/disable Google
 authenticator

The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.

This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.

Can be tested using:

set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'

See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
---
 debian/vyos-1x.postinst | 8 --------
 1 file changed, 8 deletions(-)

(limited to 'debian')

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 64c60a780..cd88cf60c 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -21,14 +21,6 @@ if ! grep -q '^openvpn' /etc/passwd; then
     adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
 fi
 
-# Enable 2FA/MFA support for SSH and local logins
-for file in /etc/pam.d/sshd /etc/pam.d/login
-do
-    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
-    grep -qF -- "pam_google_authenticator.so" $file || \
-    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
-done
-
 # We need to have a group for RADIUS service users to use it inside PAM rules
 if ! grep -q '^radius' /etc/group; then
     addgroup --firstgid 1000 --quiet radius
-- 
cgit v1.2.3