43 lines
1.1 KiB
YAML
43 lines
1.1 KiB
YAML
|
---
|
||
|
- block:
|
||
|
- name: Install google authenticator PAM module
|
||
|
yum:
|
||
|
name: google-authenticator
|
||
|
state: present
|
||
|
|
||
|
- name: Add google auth module to PAM
|
||
|
pamd:
|
||
|
name: sshd
|
||
|
type: account
|
||
|
control: required
|
||
|
module_path: pam_nologin.so
|
||
|
new_type: auth
|
||
|
new_control: required
|
||
|
new_module_path: pam_google_authenticator.so
|
||
|
state: before
|
||
|
|
||
|
- name: Skip google auth for specific group
|
||
|
pamd:
|
||
|
name: sshd
|
||
|
type: auth
|
||
|
control: required
|
||
|
module_path: pam_google_authenticator.so
|
||
|
new_type: auth
|
||
|
new_control: "[success=done default=ignore]"
|
||
|
new_module_path: pam_succeed_if.so
|
||
|
module_arguments:
|
||
|
- user
|
||
|
- ingroup
|
||
|
- "{{ sshd_google_auth_exclude_group }}"
|
||
|
state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}"
|
||
|
|
||
|
- name: Remove password auth from PAM
|
||
|
pamd:
|
||
|
name: sshd
|
||
|
type: auth
|
||
|
control: substack
|
||
|
module_path: password-auth
|
||
|
state: absent
|
||
|
become: True
|
||
|
become_user: root
|