From 43d6003128d27bb74dab3327924646ba313bb634 Mon Sep 17 00:00:00 2001
From: Charles N Wyble <charles@ultix.knel.net>
Date: Tue, 17 Feb 2026 16:31:37 -0500
Subject: [PATCH] feat(2fa): add PAM and SSH configuration for Google
 Authenticator

Add configuration files required for two-factor authentication
via Google Authenticator:

- sshd-pam: PAM configuration integrating Google Authenticator
  with standard Unix authentication, using nullok for gradual
  rollout allowing users without 2FA to still authenticate

- sshd-2fa-config: SSH daemon configuration additions enabling
  ChallengeResponseAuthentication and KeyboardInteractive
  authentication methods required for 2FA flow

These configs support the KNEL security baseline requiring 2FA
for SSH access while maintaining backward compatibility during
user onboarding.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-2fa.sh
---
 initializers/2fa/configs/sshd-2fa-config | 11 ++++++++
 initializers/2fa/configs/sshd-pam        | 32 ++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 initializers/2fa/configs/sshd-2fa-config
 create mode 100644 initializers/2fa/configs/sshd-pam

diff --git a/initializers/2fa/configs/sshd-2fa-config b/initializers/2fa/configs/sshd-2fa-config
new file mode 100644
index 0000000..152b912
--- /dev/null
+++ b/initializers/2fa/configs/sshd-2fa-config
@@ -0,0 +1,11 @@
+# KNEL SSH 2FA Configuration Additions
+# These settings enable two-factor authentication with SSH keys
+
+# Enable challenge-response authentication for 2FA
+ChallengeResponseAuthentication yes
+
+# Enable PAM
+UsePAM yes
+
+# Require both publickey AND keyboard-interactive (2FA)
+AuthenticationMethods publickey,keyboard-interactive
diff --git a/initializers/2fa/configs/sshd-pam b/initializers/2fa/configs/sshd-pam
new file mode 100644
index 0000000..0f30b8e
--- /dev/null
+++ b/initializers/2fa/configs/sshd-pam
@@ -0,0 +1,32 @@
+# PAM configuration for SSH with 2FA
+# Standard Un*x authentication
+@include common-auth
+
+# Google Authenticator 2FA
+auth required pam_google_authenticator.so nullok
+
+# Standard Un*x authorization
+@include common-account
+
+# SELinux needs to be the first session rule
+session required pam_selinux.so close
+session required pam_loginuid.so
+
+# Standard Un*x session setup and teardown
+@include common-session
+
+# Print the message of the day upon successful login
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login
+session optional pam_mail.so standard noenv
+
+# Set up user limits from /etc/security/limits.conf
+session required pam_limits.so
+
+# SELinux needs to intervene at login time
+session required pam_selinux.so open
+
+# Standard Un*x password updating
+@include common-password