Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / 1fdf89222b036fba01204e728165e7c3c2b141a6^! / .
commit1fdf89222b036fba01204e728165e7c3c2b141a6[log] [tgz]
authorAsmitha Karunanithi <asmitk01@in.ibm.com>Wed Jul 31 01:23:34 2024 -0500
committerAsmitha Karunanithi <asmitk01@in.ibm.com>Thu Sep 05 15:05:46 2024 +0000
tree72999e4599538b1face155186ed60f0ae695890d
parent1440d6b0c59baa2a3bfca6c512fa39c2b840bc18 [diff]
Add Google Authenticator PAM module for 2FA

Google authenticator PAM module enables two-factor authentication for
logging in to servers. It provides both HMAC-based and Time-based OTPs
as the second factor on top of usual password authentication.

This commit adds a new distro feature for google authenticator and can
be enabled or disabled for any machine based on the requirement.

Tested By:
* Built openbmc for p10bmc
* Verified that the google-authenticator was pulled and the binary is
  installed

Change-Id: I586715a924eddd90c9cb6f967db35824767330ca
Signed-off-by: Asmitha Karunanithi <asmitk01@in.ibm.com>

diff --git a/meta-ibm/conf/machine/p10bmc.conf b/meta-ibm/conf/machine/p10bmc.conf
index 5b968c1..a654a55 100644
--- a/meta-ibm/conf/machine/p10bmc.conf
+++ b/meta-ibm/conf/machine/p10bmc.conf

@@ -25,6 +25,7 @@
 require conf/distro/include/openpower-hostfw-over-pldm.inc
 require conf/distro/include/ibm-mpreboot.inc
 require conf/distro/include/ibm-yaml.inc
+require conf/distro/include/google-authenticator-libpam.inc
 include conf/distro/include/extra-dev-debug-tools.inc
 DISTRO_FEATURES += "ibm-service-account-policy"
 MACHINE_FEATURES += "phal tpm2"

diff --git a/meta-ibm/conf/templates/default/bblayers.conf.sample b/meta-ibm/conf/templates/default/bblayers.conf.sample
index 9ce1053..bcaad7b 100644
--- a/meta-ibm/conf/templates/default/bblayers.conf.sample
+++ b/meta-ibm/conf/templates/default/bblayers.conf.sample

@@ -11,6 +11,7 @@
   ##OEROOT##/meta-openembedded/meta-networking \
   ##OEROOT##/meta-openembedded/meta-perl \
   ##OEROOT##/meta-openembedded/meta-python \
+  ##OEROOT##/meta-security \
   ##OEROOT##/meta-security/meta-tpm \
   ##OEROOT##/meta-phosphor \
   ##OEROOT##/meta-aspeed \

diff --git a/meta-phosphor/conf/distro/include/google-authenticator-libpam.inc b/meta-phosphor/conf/distro/include/google-authenticator-libpam.inc
new file mode 100644
index 0000000..9b023c4
--- /dev/null
+++ b/meta-phosphor/conf/distro/include/google-authenticator-libpam.inc

@@ -0,0 +1,2 @@
+DISTRO_FEATURES += "google-authenticator-libpam"
+DISTROOVERRIDES .= ":df-google-authenticator-libpam"

diff --git a/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb
index d821ebc..b7d9c0f 100644
--- a/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb
+++ b/meta-phosphor/recipes-phosphor/users/phosphor-user-manager_git.bb

@@ -43,6 +43,7 @@
 "
 
 USERADD_PACKAGES = "${PN} phosphor-ldap"
+RDEPENDS:${PN}:append:df-google-authenticator-libpam = " pam-google-authenticator google-authenticator-libpam"
 
 PACKAGE_BEFORE_PN = "phosphor-ldap"
 DBUS_PACKAGES = "${USERADD_PACKAGES}"