From e134dc4171b051d0f98c7151ef32a347bc4f87e2 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Thu, 7 Dec 2023 21:30:57 +0100
Subject: login: T4943: use pam-auth-update to enable/disable Google
 authenticator

The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.

This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.

Can be tested using:

set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'

See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
---
 op-mode-definitions/generate-system-login-user.xml.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'op-mode-definitions')

diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in
index 237a13610..868bbcd46 100755
--- a/op-mode-definitions/generate-system-login-user.xml.in
+++ b/op-mode-definitions/generate-system-login-user.xml.in
@@ -16,7 +16,7 @@
                 <properties>
                   <help>Username used for authentication</help>
                   <completionHelp>
-                    <list>&lt;username&gt;</list>
+                    <path>system login user</path>
                   </completionHelp>
                 </properties>
                 <children>
-- 
cgit v1.2.3