Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

login: T4943: use pam-auth-update to enable/disable Google authenticator #2584

Merged
merged 1 commit into from
Dec 8, 2023
Merged

login: T4943: use pam-auth-update to enable/disable Google authenticator #2584

merged 1 commit into from
Dec 8, 2023

Conversation

c-po
Copy link
Member

@c-po c-po commented Dec 7, 2023
edited
Loading

Change Summary

The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login.

This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template.

Can be tested using:

set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'

See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

login

Proposed changes

How to test

Smoketest result

image

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@vyosbot vyosbot requested a review from a team December 7, 2023 20:36
@vyosbot vyosbot requested review from dmbaturin, sarthurdev, zdc, jestabro and sever-sever and removed request for a team December 7, 2023 20:36
zdc
zdc requested changes Dec 7, 2023
View reviewed changes
src/pam-configs/mfa-google-authenticator Outdated Show resolved Hide resolved
src/pam-configs/mfa-google-authenticator Outdated Show resolved Hide resolved
src/pam-configs/mfa-google-authenticator Outdated Show resolved Hide resolved
@c-po
login: T4943: use pam-auth-update to enable/disable Google authenticator
e134dc4 
The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.

This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.

Can be tested using:

set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'

See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
@c-po c-po force-pushed the T4943-google-authenticator branch from 6cd1c47 to e134dc4 Compare December 8, 2023 06:46
@c-po
Copy link
Member Author

c-po commented Dec 8, 2023

Incorporated requested changes by @zdc

@c-po c-po requested a review from zdc December 8, 2023 06:46
@GurliGebis
Copy link
Contributor

Would it make sense to rename it from "Google Authenticator" to just "Authenticator"?
Since you can use several different apps for it (Like Microsoft Authenticator, which a lot of people who has to use Office 365 already have installed) - it would make sense to remove the Google branding.

@c-po
Copy link
Member Author

c-po commented Dec 8, 2023

Would it make sense to rename it from "Google Authenticator" to just "Authenticator"? Since you can use several different apps for it (Like Microsoft Authenticator, which a lot of people who has to use Office 365 already have installed) - it would make sense to remove the Google branding.

Well it was invented by Google that should be honored. I use it with Microsoft authenticator, too.

@c-po c-po merged commit 030abbf into vyos:current Dec 8, 2023
@c-po
Copy link
Member Author

c-po commented Dec 8, 2023

@Mergifyio backport sagitta

@mergify Mergify
Copy link
Contributor

mergify bot commented Dec 8, 2023
edited
Loading

backport sagitta

✅ Backports have been created

@mergify mergify bot mentioned this pull request Dec 8, 2023
Merged
c-po added a commit that referenced this pull request Dec 8, 2023
@c-po
Merge pull request #2593 from vyos/mergify/bp/sagitta/pr-2584
f44cf29 
login: T4943: use pam-auth-update to enable/disable Google authenticator (backport #2584)
@GurliGebis
Copy link
Contributor

@c-po that makes sense.
Just as long as people aren't misled into thinking they only need to use the Google app 🙂

@c-po c-po deleted the T4943-google-authenticator branch December 9, 2023 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zdc zdc zdc approved these changes

@sever-sever sever-sever sever-sever approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

Assignees

@c-po c-po

Labels
backport current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@c-po @GurliGebis @zdc @sever-sever