KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
3f5ca4c9a6a54ddc01ebb2fe7d5030bbaf80472b
KNELConfigMgmt-FetchApply/initializers/2fa/configs/sshd-pam
Charles N Wyble 43d6003128 feat(2fa): add PAM and SSH configuration for Google Authenticator 
Add configuration files required for two-factor authentication
via Google Authenticator:

- sshd-pam: PAM configuration integrating Google Authenticator
  with standard Unix authentication, using nullok for gradual
  rollout allowing users without 2FA to still authenticate

- sshd-2fa-config: SSH daemon configuration additions enabling
  ChallengeResponseAuthentication and KeyboardInteractive
  authentication methods required for 2FA flow

These configs support the KNEL security baseline requiring 2FA
for SSH access while maintaining backward compatibility during
user onboarding.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-2fa.sh
2026-02-17 16:31:37 -05:00

33 lines
883 B
Plaintext
Raw Blame History

# PAM configuration for SSH with 2FA
# Standard Un*x authentication
@include common-auth
# Google Authenticator 2FA
auth required pam_google_authenticator.so nullok
# Standard Un*x authorization
@include common-account
# SELinux needs to be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# Standard Un*x session setup and teardown
@include common-session
# Print the message of the day upon successful login
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login
session optional pam_mail.so standard noenv
# Set up user limits from /etc/security/limits.conf
session required pam_limits.so
# SELinux needs to intervene at login time
session required pam_selinux.so open
# Standard Un*x password updating
@include common-password
View Git Blame Copy Permalink