2019-11-02 19:10:39 +01:00
|
|
|
---
|
2024-02-18 13:22:43 +01:00
|
|
|
- name: Install google authenticator PAM module
|
|
|
|
|
ansible.builtin.package:
|
|
|
|
|
name: google-authenticator
|
|
|
|
|
state: present
|
2019-11-02 19:10:39 +01:00
|
|
|
|
2024-02-18 13:22:43 +01:00
|
|
|
- name: Add google auth module to PAM
|
|
|
|
|
community.general.pamd:
|
|
|
|
|
name: sshd
|
|
|
|
|
type: account
|
|
|
|
|
control: required
|
|
|
|
|
module_path: pam_nologin.so
|
|
|
|
|
new_type: auth
|
|
|
|
|
new_control: required
|
|
|
|
|
new_module_path: pam_google_authenticator.so
|
|
|
|
|
state: before
|
2019-11-02 19:10:39 +01:00
|
|
|
|
2024-02-18 13:22:43 +01:00
|
|
|
- name: Skip google auth for specific group
|
|
|
|
|
community.general.pamd:
|
|
|
|
|
name: sshd
|
|
|
|
|
type: auth
|
|
|
|
|
control: required
|
|
|
|
|
module_path: pam_google_authenticator.so
|
|
|
|
|
new_type: auth
|
|
|
|
|
new_control: "[success=done default=ignore]"
|
|
|
|
|
new_module_path: pam_succeed_if.so
|
|
|
|
|
module_arguments:
|
|
|
|
|
- user
|
|
|
|
|
- ingroup
|
|
|
|
|
- "{{ sshd_google_auth_exclude_group }}"
|
|
|
|
|
state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}"
|
2019-11-02 19:10:39 +01:00
|
|
|
|
2024-02-18 13:22:43 +01:00
|
|
|
- name: Remove password auth from PAM
|
|
|
|
|
community.general.pamd:
|
|
|
|
|
name: sshd
|
|
|
|
|
type: auth
|
|
|
|
|
control: substack
|
|
|
|
|
module_path: password-auth
|
|
|
|
|
state: absent
|
