diff --git a/src/etc/rc.configure_firmware b/src/etc/rc.configure_firmware
index 309582305..34951995a 100755
--- a/src/etc/rc.configure_firmware
+++ b/src/etc/rc.configure_firmware
@@ -44,3 +44,4 @@ convert_config(true);
system_firmware_configure();
system_console_configure();
+configd_run('template reload OPNsense.Auth');
diff --git a/src/opnsense/service/templates/OPNsense/Auth/+TARGETS b/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
new file mode 100644
index 000000000..96e4d89b4
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
@@ -0,0 +1 @@
+sshd.pam:/etc/pam.d/sshd
diff --git a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
new file mode 100644
index 000000000..e7b7a1578
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
@@ -0,0 +1,30 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+{% if system.disableintegratedauth|default('0') == '1' %}
+auth required pam_unix.so no_warn try_first_pass
+{% else %}
+auth required pam_opnsense.so
+{% endif %}
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_login_access.so
+account required pam_unix.so
+
+# session
+#session optional pam_ssh.so want_agent
+session required pam_permit.so
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index b6d8da250..2db60a3b2 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -42,6 +42,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
$pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
+ $pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
$pconfig['sudo_allow_wheel'] = isset($config['system']['sudo_allow_wheel']);
$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
$pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
@@ -116,6 +117,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['disableconsolemenu']);
}
+ if (!empty($pconfig['disableintegratedauth'])) {
+ $config['system']['disableintegratedauth'] = true;
+ } elseif (isset($config['system']['disableintegratedauth'])) {
+ unset($config['system']['disableintegratedauth']);
+ }
+
if ($pconfig['sudo_allow_wheel'] == "yes") {
$config['system']['sudo_allow_wheel'] = true;
} elseif (isset($config['system']['sudo_allow_wheel'])) {
@@ -249,6 +256,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
services_dnsmasq_configure(false);
services_unbound_configure(false);
services_dhcpd_configure();
+ configd_run('template reload OPNsense.Auth');
if ($restart_sshd) {
configd_run('sshd restart', true);
@@ -579,6 +587,16 @@ include("head.inc");
+
+ | |
+
+ />
+
+
+
+
+ |
+
| |
" /> |