From 4d3ee1b99da9f3eae40896989e52515bf978d450 Mon Sep 17 00:00:00 2001 From: madx <89599124+madchrist@users.noreply.github.com> Date: Tue, 7 Sep 2021 15:46:16 +0200 Subject: [PATCH] regenerated doc --- doc/sphinx/plugins/restricted/accountInfo.rst | 2 ++ doc/sphinx/plugins/restricted/accountModify.rst | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/doc/sphinx/plugins/restricted/accountInfo.rst b/doc/sphinx/plugins/restricted/accountInfo.rst index 3a3f392..ea078ee 100644 --- a/doc/sphinx/plugins/restricted/accountInfo.rst +++ b/doc/sphinx/plugins/restricted/accountInfo.rst @@ -59,6 +59,8 @@ Output example ~ - Additional TOTP authentication is not required for this account ~ - Additional TOTP authentication bypass is disabled for this account ~ - Additional TOTP authentication is disabled + ~ - PAM authentication bypass is disabled + ~ - Alternative authentication logic (allow both pubkey alone and PAM alone) is disabled ~ - MFA policy on personal accesses (using personal keys) on egress side is: password ~ Account PAM UNIX password information (used for password MFA): diff --git a/doc/sphinx/plugins/restricted/accountModify.rst b/doc/sphinx/plugins/restricted/accountModify.rst index 47538a1..dd56638 100644 --- a/doc/sphinx/plugins/restricted/accountModify.rst +++ b/doc/sphinx/plugins/restricted/accountModify.rst @@ -69,3 +69,10 @@ Modify an account configuration If enabled, this account can only use ``--osh`` commands, and can't connect anywhere through the bastion +.. option:: --mfa-any yes|no + + Control the ingress login requirements for pubkey and pam (when a password and/or TOTP is set). + + When disabled, the user needs pubkey AND pam, this is the default. + When enabled, the user can authenticate with either pubkey OR pam. + If the account has no password/TOTP, this option has no effect, i.e: pubkey is used. Egress is not affected.