xoxys.sshd/tasks/ssh_2fa.yml

40 lines
1019 B
YAML
Raw Normal View History

2019-11-02 18:10:39 +00:00
---
2024-02-18 12:22:43 +00:00
- name: Install google authenticator PAM module
ansible.builtin.package:
name: google-authenticator
state: present
2019-11-02 18:10:39 +00:00
2024-02-18 12:22:43 +00:00
- name: Add google auth module to PAM
community.general.pamd:
name: sshd
type: account
control: required
module_path: pam_nologin.so
new_type: auth
new_control: required
new_module_path: pam_google_authenticator.so
state: before
2019-11-02 18:10:39 +00:00
2024-02-18 12:22:43 +00:00
- name: Skip google auth for specific group
community.general.pamd:
name: sshd
type: auth
control: required
module_path: pam_google_authenticator.so
new_type: auth
new_control: "[success=done default=ignore]"
new_module_path: pam_succeed_if.so
module_arguments:
- user
- ingroup
- "{{ sshd_google_auth_exclude_group }}"
state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}"
2019-11-02 18:10:39 +00:00
2024-02-18 12:22:43 +00:00
- name: Remove password auth from PAM
community.general.pamd:
name: sshd
type: auth
control: substack
module_path: password-auth
state: absent