From a4df234a86a2b471264e4898ef90b18abf95149068a3057d47da2e40080a2133 Mon Sep 17 00:00:00 2001
From: Alice Brooks <alice.brooks@suse.com>
Date: Mon, 30 Sep 2024 08:08:58 +0100
Subject: [PATCH] Add motd guidance for setting up otp

---
 0006-totp-motd.patch | 33 +++++++++++++++++++++++++++++++++
 cockpit.changes      |  5 +++++
 cockpit.spec         |  3 +++
 3 files changed, 41 insertions(+)
 create mode 100644 0006-totp-motd.patch

diff --git a/0006-totp-motd.patch b/0006-totp-motd.patch
new file mode 100644
index 0000000..37a3a43
--- /dev/null
+++ b/0006-totp-motd.patch
@@ -0,0 +1,33 @@
+--- a/src/systemd/inactive.motd
++++ b/src/systemd/inactive.motd
+@@ -1,2 +1,7 @@
+ Activate the web console with: systemctl enable --now cockpit.socket
+ 
++Note: Cockpit disallows root login by default.
++To create a regular user and optionally enable 2FA run both:
++
++jeos-config user
++jeos-config otp
+diff --git a/src/systemd/update-motd b/src/systemd/update-motd
+index 67e0fb630..3c532d89f 100644
+--- a/src/systemd/update-motd
++++ b/src/systemd/update-motd
+@@ -18,7 +18,17 @@ ip=${3:-$(ip -o route get 255.0 2>/dev/null | sed -e 's/.*src \([^ ]*\) .*/\1/')
+ # protocol from cmdline, then https
+ protocol=${4:-https}
+ 
++mfa=""
++if ! grep -s pam_oath /etc/pam.d/cockpit; then
++  mfa="Note: Cockpit disallows root login by default.
++To create a regular user and optionally enable 2FA run both:
++
++jeos-config user
++jeos-config otp
++"
++fi
++
+ hostname_url="${protocol}://${hostname}:${port}/"
+ ip_url="${ip:+ or ${protocol}://${ip}:${port}/}"
+ 
+-printf 'Web console: %s%s\n\n' "${hostname_url}" "${ip_url}"  > /run/cockpit/active.motd
++printf 'Web console: %s%s\n\n%b\n' "${hostname_url}" "${ip_url}" "${mfa}"  > /run/cockpit/active.motd
diff --git a/cockpit.changes b/cockpit.changes
index 08015aa..d567fa2 100644
--- a/cockpit.changes
+++ b/cockpit.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Sep 30 07:08:12 UTC 2024 - Alice Brooks <alice.brooks@suse.com>
+
+- add 0006-totp-motd.patch for guidance to enabling totp to the mtod
+
 -------------------------------------------------------------------
 Tue Aug 20 13:24:06 UTC 2024 - Adam Majer <adam.majer@suse.de>
 
diff --git a/cockpit.spec b/cockpit.spec
index 7a99e09..5c60112 100644
--- a/cockpit.spec
+++ b/cockpit.spec
@@ -68,6 +68,7 @@ Patch5:         storage-btrfs.patch
 # SLE Micro specific patches
 Patch101:       hide-pcp.patch
 Patch102:       0002-selinux-temporary-remove-setroubleshoot-section.patch
+Patch107:       0006-totp-motd.patch
 # For anything based on SLES 15 codebase (including Leap, SLE Micro)
 Patch103:       0004-leap-gnu18-removal.patch
 Patch104:       selinux_libdir.patch
@@ -229,6 +230,7 @@ BuildRequires:  python3-tox-current-env
 %patch -P 4 -p1
 %patch -P 5 -p1
 %patch -P 106 -p1
+%patch -P 107 -p1
 
 # SLE Micro specific patches
 %if 0%{?is_smo}
@@ -526,6 +528,7 @@ Requires: cockpit-bridge >= %{version}-%{release}
 Requires: shadow-utils
 %endif
 Requires: grep
+Requires: jeos-firstboot
 Requires: /usr/bin/pwscore
 Requires: /usr/bin/date
 Provides: cockpit-shell = %{version}-%{release}