mv pam_group above pam_oslogin_login in auth stack

1 files changed, 7 insertions, 3 deletions

diff --git a/packages/google-compute-engine-oslogin/bin/google_oslogin_control b/packages/google-compute-engine-oslogin/bin/google_oslogin_control
index 75d43bf..8dbdb0a 100644
--- a/packages/google-compute-engine-oslogin/bin/google_oslogin_control
+++ b/packages/google-compute-engine-oslogin/bin/google_oslogin_control
@@ -185,13 +185,17 @@ modify_pam_sshd() (
   fi
 
   added_config="$added_comment"
-  if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_config"; then
-    added_config="${added_config}\n${pam_auth_oslogin}"
-  fi
   if ! grep -qE '^auth.*pam_group' "$pam_config"; then
     added_config="${added_config}\n${pam_auth_group}"
   fi
 
+  # This auth entry for OS Login+two factor MUST be added last, as it will
+  # short-circuit processing of the auth stack via [success=ok]. auth stack
+  # entries after this one will not be processed.
+  if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_config"; then
+    added_config="${added_config}\n${pam_auth_oslogin}"
+  fi
+
   # We can and should insert auth modules at top of `auth` stack.
   if [ -n "$insert" ] && [ "$added_config" != "$added_comment" ]; then
     $sed -i"" "${insert}i ${added_config}" "$pam_config"