ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-01 13:01:53 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/etc/pam.d/sshd.rhel
Stéphane Lesimple e453377245
chore: add some documentation and fix a few comments
2020-10-22 08:12:49 +00:00

58 lines
3.9 KiB
Text
Raw Blame History

#%PAM-1.0
# PAM configuration for the Secure Shell service
# We have to disable pam_nologin as, for some reason, at least with the official CentOS docker images,
# pam_nologin always disable login even when no /etc/nologin is present.
#auth requisite pam_nologin.so
# --- PASSWORD CHECK SECTION
# proceed in this section ONLY if the user is in group mfa-password-configd, skip it entirely otherwise
auth [success=ignore ignore=ignore default=4] pam_succeed_if.so quiet user ingroup mfa-password-configd
auth optional pam_echo.so Your account has Multi-Factor Authentication enabled, an additional authentication factor is required (password).
auth optional pam_exec.so quiet debug stdout /opt/bastion/bin/shell/pam_exec_pwd_info.sh
# lock account after 6 failures, for 5 minutes
# ... but disabled, as at least the official CentOS docker images don't seem to have pam_tally nor pam_tally2
#auth required pam_tally2.so onerr=fail deny=6 unlock_time=300
# then check password
auth required pam_unix.so
# --- TOTP CHECK SECTION
# if root, enable TOTP check
auth [success=ignore ignore=ignore default=1] pam_succeed_if.so quiet uid eq 0
# [success=ok new_authtok_reqd=ok ignore=ignore default=bad module_unknown=ignore] == required + module_unknown:ignore
# if you have a recent enough libpam-google-authenticator, you can customize the prompt with the following option: [authtok_prompt=Verification Code (OTP): ]
# you can also add "debug" for more verbose logs (requires a not too old version of the pam module)
# note the nullok parameter, instructing that if TOTP is not configured for root, it shouldn't be asked
# if you know you've configured TOTP for root and prefer blocking access if there is a problem with the secret file, remove `nullok'
auth [success=ok new_authtok_reqd=ok ignore=ignore default=bad module_unknown=ignore] pam_google_authenticator.so nullok secret=/var/otp/root
# if root, TOTP check has already been done just above, so skip this subsection
auth [success=3 ignore=ignore default=ignore] pam_succeed_if.so quiet uid eq 0
# else (if not root), proceed in this section ONLY if the user is in group mfa-totp-configd, skip it entirely otherwise
auth [success=ignore ignore=ignore default=2] pam_succeed_if.so quiet user ingroup mfa-totp-configd
auth optional pam_echo.so Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
auth [success=ok new_authtok_reqd=ok ignore=ignore default=bad module_unknown=ignore] pam_google_authenticator.so secret=~/.otp
account required pam_sepermit.so
# We have to disable pam_nologin as, for some reason, at least with the official CentOS docker images,
# pam_nologin always disable login even when no /etc/nologin is present.
#account required pam_nologin.so
# Reset counter if auth succeeded
# ... but disabled, as at least the official CentOS docker images don't seem to have pam_tally nor pam_tally2
#account required pam_tally2.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
Reference in a new issue View git blame Copy permalink