Re: [isar-cip-core] security-customizations/postinst:Add configuration for MFA

Jan Kiszka

On 07.07.22 12:55, Jan Kiszka wrote:
On 07.07.22 12:33, Shreyas.Karmahe@... wrote:
From: Shreyas Karmahe <Shreyas.Karmahe@...>

It configures libpam-google-authenticator for achieving the IEC requirement
for Multi-Factor Authentication.

Signed-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>
recipes-core/security-customizations/files/postinst | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 3699ba2..9ba8540 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -49,3 +49,14 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT

# CR2.10: Response to audit processing failures
sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session
+google_authenticator="auth required nullok"
+if grep -c "" "${SSHD_AUTH_CONFIG}";then
+ sed -i '/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
+echo "auth required nullok" | tee -a "${SSHD_AUTH_CONFIG}"
+# Enable PAM configuration for Remote Session
+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
Applied, thanks!
As discussed in the other thread: This one is missing a DEBIAN_DEPENDS
for libpam-google-authenticator. I'm dropping this again (was only in
next) so that you can send a v3.


Siemens AG, Technology
Competence Center Embedded Linux

Join { to automatically receive all group messages.