From f51bee273eeb3d9680f803ac50395f567c1babf5 Mon Sep 17 00:00:00 2001
From: Cody Robertson <cody@hawkhost.com>
Date: Sat, 6 Apr 2024 18:34:36 -0400
Subject: [PATCH] Adjust etc/pam.d/sshd.rhel configuration - Fix logic error
 breaking MFA handling if enabled

---
 etc/pam.d/sshd.rhel | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/etc/pam.d/sshd.rhel b/etc/pam.d/sshd.rhel
index f431c4f..b0164b2 100644
--- a/etc/pam.d/sshd.rhel
+++ b/etc/pam.d/sshd.rhel
@@ -7,11 +7,12 @@
 
 # --- PASSWORD CHECK SECTION
 # proceed in this section ONLY if the user is in group mfa-password-configd, skip it entirely otherwise
-auth       [success=ignore ignore=ignore default=4] pam_succeed_if.so quiet user ingroup mfa-password-configd
+auth       [success=ignore ignore=ignore default=3] pam_succeed_if.so quiet user ingroup mfa-password-configd
 auth       optional                                 pam_echo.so       Your account has Multi-Factor Authentication enabled, an additional authentication factor is required (password).
 auth       optional                                 pam_exec.so       quiet debug stdout /opt/bastion/bin/shell/pam_exec_pwd_info.sh
 # lock account after 6 failures, for 5 minutes
 # ... but disabled, as at least the official CentOS docker images don't seem to have pam_tally nor pam_tally2
+# ... if you uncomment the below line, set the default= line above to default=4 instead of default=3
 #auth       required                                 pam_tally2.so     onerr=fail deny=6 unlock_time=300
 # then check password
 auth       required                                 pam_unix.so