feat(2fa): add PAM and SSH configuration for Google Authenticator

Add configuration files required for two-factor authentication via Google Authenticator: - sshd-pam: PAM configuration integrating Google Authenticator with standard Unix authentication, using nullok for gradual rollout allowing users without 2FA to still authenticate - sshd-2fa-config: SSH daemon configuration additions enabling ChallengeResponseAuthentication and KeyboardInteractive authentication methods required for 2FA flow These configs support the KNEL security baseline requiring 2FA for SSH access while maintaining backward compatibility during user onboarding. Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-2fa.sh
2026-02-17 16:31:37 -05:00
parent 1e506fed1d
commit 43d6003128
2 changed files with 43 additions and 0 deletions
--- a/initializers/2fa/configs/sshd-2fa-config
+++ b/initializers/2fa/configs/sshd-2fa-config
@@ -0,0 +1,11 @@
+# KNEL SSH 2FA Configuration Additions
+# These settings enable two-factor authentication with SSH keys
+
+# Enable challenge-response authentication for 2FA
+ChallengeResponseAuthentication yes
+
+# Enable PAM
+UsePAM yes
+
+# Require both publickey AND keyboard-interactive (2FA)
+AuthenticationMethods publickey,keyboard-interactive
--- a/initializers/2fa/configs/sshd-pam
+++ b/initializers/2fa/configs/sshd-pam
@@ -0,0 +1,32 @@
+# PAM configuration for SSH with 2FA
+# Standard Un*x authentication
+@include common-auth
+
+# Google Authenticator 2FA
+auth required pam_google_authenticator.so nullok
+
+# Standard Un*x authorization
+@include common-account
+
+# SELinux needs to be the first session rule
+session required pam_selinux.so close
+session required pam_loginuid.so
+
+# Standard Un*x session setup and teardown
+@include common-session
+
+# Print the message of the day upon successful login
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login
+session optional pam_mail.so standard noenv
+
+# Set up user limits from /etc/security/limits.conf
+session required pam_limits.so
+
+# SELinux needs to intervene at login time
+session required pam_selinux.so open
+
+# Standard Un*x password updating
+@include common-password