xoxys.sshd/tasks/ssh_2fa.yml

43 lines
1.1 KiB
YAML
Raw Normal View History

2019-11-02 18:10:39 +00:00
---
- block:
- name: Install google authenticator PAM module
yum:
name: google-authenticator
state: present
- name: Add google auth module to PAM
pamd:
name: sshd
type: account
control: required
module_path: pam_nologin.so
new_type: auth
new_control: required
new_module_path: pam_google_authenticator.so
state: before
- name: Skip google auth for specific group
pamd:
name: sshd
type: auth
control: required
module_path: pam_google_authenticator.so
new_type: auth
new_control: "[success=done default=ignore]"
new_module_path: pam_succeed_if.so
module_arguments:
- user
- ingroup
- "{{ sshd_google_auth_exclude_group }}"
state: "{{ 'before' if sshd_google_auth_exclude_group is defined else 'absent' }}"
- name: Remove password auth from PAM
pamd:
name: sshd
type: auth
control: substack
module_path: password-auth
state: absent
become: True
become_user: root