[PR #237] [MERGED] new account option: --mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both #334

New issue

Closed

opened 2026-05-07 00:20:24 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-07 00:20:24 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/ovh/the-bastion/pull/237
Author: @madchrist
Created: 9/6/2021
Status: ✅ Merged
Merged: 10/15/2021
Merged by: @speed47

Base: master ← Head: mfa-any

📝 Commits (3)

f97ab44 new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both
aa79057 regenerated doc
47ad6e5 new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required

📊 Changes

19 files changed (+221 additions, -54 deletions)

View changed files

📝 bin/admin/install (+1 -1)
📝 bin/helper/osh-accountModify (+43 -0)
📝 bin/plugin/restricted/accountInfo (+3 -0)
📝 bin/plugin/restricted/accountList (+11 -9)
📝 bin/plugin/restricted/accountModify (+9 -1)
📝 bin/plugin/restricted/accountModify.json (+8 -8)
📝 doc/sphinx-plugins-override/accountInfo.rst (+2 -0)
📝 doc/sphinx/plugins/restricted/accountInfo.rst (+2 -0)
📝 doc/sphinx/plugins/restricted/accountModify.rst (+9 -0)
📝 etc/ssh/sshd_config.centos7 (+5 -4)
📝 etc/ssh/sshd_config.centos8 (+5 -4)
📝 etc/ssh/sshd_config.debian10 (+5 -4)
📝 etc/ssh/sshd_config.debian11 (+5 -4)
📝 etc/ssh/sshd_config.debian8 (+5 -4)
📝 etc/ssh/sshd_config.debian9 (+5 -4)
📝 etc/ssh/sshd_config.freebsd (+5 -4)
📝 lib/perl/OVH/Bastion.pm (+8 -7)
📝 tests/functional/launch_tests_on_instance.sh (+1 -0)
📝 tests/functional/tests.d/370-mfa.sh (+89 -0)

📄 Description

Add an account option to turn the ingress auth from "pubkey AND pam" to "pubkey OR pam"
The goal is to provide a method to allow ingress login with just a password on some accounts

This takes the form of a new accountModify option: --mfa-any
This option allows ingress login with the pubkey alone, even if a password/TOTP is set
It also allows ingress login with password/TOTP (i.e: PAM) alone IF password/TOTP is set, if no password/TOTP is set, it does nothing and only pubkey will work

Under the hood, a new group is used: mfa-any
This group is set/unset by accountModify --mfa-any yes|no and checked by sshd_config to modify AuthenticationMethods accordingly

Signed-off-by: Christophe Crochet 89599124+madchrist@users.noreply.github.com

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/ovh/the-bastion/pull/237 **Author:** [@madchrist](https://github.com/madchrist) **Created:** 9/6/2021 **Status:** ✅ Merged **Merged:** 10/15/2021 **Merged by:** [@speed47](https://github.com/speed47) **Base:** `master` ← **Head:** `mfa-any` --- ### 📝 Commits (3) - [`f97ab44`](https://github.com/ovh/the-bastion/commit/f97ab44bbd401381fa9bef5af0500afe2aa0ad20) new account option: mfa-any, to allow ingress login with pubkey alone or pam alone instead of requiring both - [`aa79057`](https://github.com/ovh/the-bastion/commit/aa790571071b24ab819f54d2cf285610f2d85766) regenerated doc - [`47ad6e5`](https://github.com/ovh/the-bastion/commit/47ad6e5438ad844290c96101b8bdf484f12683ec) new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required ### 📊 Changes **19 files changed** (+221 additions, -54 deletions) <details> <summary>View changed files</summary> 📝 `bin/admin/install` (+1 -1) 📝 `bin/helper/osh-accountModify` (+43 -0) 📝 `bin/plugin/restricted/accountInfo` (+3 -0) 📝 `bin/plugin/restricted/accountList` (+11 -9) 📝 `bin/plugin/restricted/accountModify` (+9 -1) 📝 `bin/plugin/restricted/accountModify.json` (+8 -8) 📝 `doc/sphinx-plugins-override/accountInfo.rst` (+2 -0) 📝 `doc/sphinx/plugins/restricted/accountInfo.rst` (+2 -0) 📝 `doc/sphinx/plugins/restricted/accountModify.rst` (+9 -0) 📝 `etc/ssh/sshd_config.centos7` (+5 -4) 📝 `etc/ssh/sshd_config.centos8` (+5 -4) 📝 `etc/ssh/sshd_config.debian10` (+5 -4) 📝 `etc/ssh/sshd_config.debian11` (+5 -4) 📝 `etc/ssh/sshd_config.debian8` (+5 -4) 📝 `etc/ssh/sshd_config.debian9` (+5 -4) 📝 `etc/ssh/sshd_config.freebsd` (+5 -4) 📝 `lib/perl/OVH/Bastion.pm` (+8 -7) 📝 `tests/functional/launch_tests_on_instance.sh` (+1 -0) 📝 `tests/functional/tests.d/370-mfa.sh` (+89 -0) </details> ### 📄 Description Add an account option to turn the ingress auth from "pubkey AND pam" to "pubkey OR pam" The goal is to provide a method to allow ingress login with just a password on some accounts This takes the form of a new accountModify option: --mfa-any This option allows ingress login with the pubkey alone, even if a password/TOTP is set It also allows ingress login with password/TOTP (i.e: PAM) alone IF password/TOTP is set, if no password/TOTP is set, it does nothing and only pubkey will work Under the hood, a new group is used: mfa-any This group is set/unset by accountModify --mfa-any yes|no and checked by sshd_config to modify AuthenticationMethods accordingly Signed-off-by: Christophe Crochet <89599124+madchrist@users.noreply.github.com> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>