diff options
author | Liam Hopkins <liamh@google.com> | 2019-03-25 10:31:10 -0700 |
---|---|---|
committer | Liam Hopkins <liamh@google.com> | 2019-03-25 12:05:07 -0700 |
commit | 093c27dbf616a696a3e3c3995007654769a60b2b (patch) | |
tree | f4c124d56c286fcf9bbabccc4bc1677881fe838b /packages/google-compute-engine-oslogin | |
parent | 409408af3a0a222286c06f3f026b81dac459593c (diff) | |
download | google-compute-image-packages-093c27dbf616a696a3e3c3995007654769a60b2b.tar.gz |
mv pam_group above pam_oslogin_login in auth stack
Diffstat (limited to 'packages/google-compute-engine-oslogin')
-rw-r--r-- | packages/google-compute-engine-oslogin/bin/google_oslogin_control | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/packages/google-compute-engine-oslogin/bin/google_oslogin_control b/packages/google-compute-engine-oslogin/bin/google_oslogin_control index 75d43bf..8dbdb0a 100644 --- a/packages/google-compute-engine-oslogin/bin/google_oslogin_control +++ b/packages/google-compute-engine-oslogin/bin/google_oslogin_control @@ -185,13 +185,17 @@ modify_pam_sshd() ( fi added_config="$added_comment" - if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_config"; then - added_config="${added_config}\n${pam_auth_oslogin}" - fi if ! grep -qE '^auth.*pam_group' "$pam_config"; then added_config="${added_config}\n${pam_auth_group}" fi + # This auth entry for OS Login+two factor MUST be added last, as it will + # short-circuit processing of the auth stack via [success=ok]. auth stack + # entries after this one will not be processed. + if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_config"; then + added_config="${added_config}\n${pam_auth_oslogin}" + fi + # We can and should insert auth modules at top of `auth` stack. if [ -n "$insert" ] && [ "$added_config" != "$added_comment" ]; then $sed -i"" "${insert}i ${added_config}" "$pam_config" |