Remove Google Authenticator / Two-Factor Authentification

README.md

@@ -39,7 +39,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
 -   Firewall management via [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall).
 -   Intrusion prevention via [fail2ban](http://www.fail2ban.org/) and rootkit detection via [rkhunter](http://rkhunter.sourceforge.net).
 -   SSH configuration preventing root login and insecure password authentication
--   [RFC6238](http://tools.ietf.org/html/rfc6238) two-factor authentication compatible with [Google Authenticator](http://en.wikipedia.org/wiki/Google_Authenticator) and various hardware tokens
 -   Nightly backups to [Tarsnap](https://www.tarsnap.com/).
 -   Git hosting via [cgit](http://git.zx2c4.com/cgit/about/) and [gitolite](https://github.com/sitaramc/gitolite).
 -   Read-it-later via [Wallabag](https://www.wallabag.org/)

roles/common/tasks/google_auth.yml

@@ -1,40 +0,0 @@
----
-# Defines tasks applicable for Google Authenticator.
-
-- name: Ensure required packages are installed
-  apt: pkg={{ item }} state=present
-  with_items:
-    - libpam-google-authenticator
-    - libpam0g-dev
-    - libqrencode3
-  tags:
-    - dependencies
-
-- name: Update sshd config to enable challenge responses
-  lineinfile: dest=/etc/ssh/sshd_config
-              regexp=^ChallengeResponseAuthentication
-              line="ChallengeResponseAuthentication yes"
-              state=present
-  notify: restart ssh
-
-- name: Add Google authenticator to PAM
-  lineinfile: dest=/etc/pam.d/sshd
-              line="auth required pam_google_authenticator.so"
-              insertbefore=BOF
-              state=present
-
-- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
-  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
-           creates=/home/{{ main_user_name }}/.google_authenticator
-  become: yes
-  become_user: "{{ main_user_name }}"
-  when: ansible_ssh_user != "vagrant"
-
-- name: Retrieve generated keys from server
-  fetch: src=/home/{{ main_user_name }}/.google_authenticator
-         dest=/tmp/sovereign-google-auth-files
-  when: ansible_ssh_user != "vagrant"
-
-- pause: seconds=5
-         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
-  when: ansible_ssh_user != "vagrant"

roles/common/tasks/main.yml

@@ -72,5 +72,4 @@
 - include: ufw.yml tags=ufw
 - include: security.yml tags=security
 - include: ntp.yml tags=ntp
-- include: google_auth.yml tags=google_auth
 - include: postgres.yml

roles/vpn/files/etc_pam.d_openvpn

@@ -1 +0,0 @@
-auth required pam_google_authenticator.so

roles/vpn/tasks/openvpn.yml

@@ -143,10 +143,6 @@
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
   notify: restart openvpn
 
-- name: Copy OpenVPN PAM configuration file into place
-  copy: src=etc_pam.d_openvpn dest=/etc/pam.d/openvpn
-  notify: restart openvpn
-
 - name: Enable OpenVPN server systemd service unit
   service: name=openvpn@server enabled=yes
 

roles/webmail/DESIGN.md

@@ -10,7 +10,7 @@ The role installs roundcube from the source package released by the Roundcube te
 
 Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/decrypted` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
 
-PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `twofactor_gauthentication` and `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
+PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
 
 # Upgrade
 

roles/webmail/files/var_www_roundcube_composer.json

@@ -31,8 +31,7 @@
         "pear-pear.php.net/net_smtp": "~1.7.1",
         "pear-pear.php.net/crypt_gpg": "~1.4.2",
         "roundcube/net_sieve": "~1.5.0",
-        "alexandregz/twofactor_gauthenticator": "dev-master",
-	"roundcube/carddav": "dev-master"
+        "roundcube/carddav": "dev-master"
     },
     "require-dev": {
         "phpunit/phpunit": "*"

roles/webmail/files/var_www_roundcube_plugins_twofactor_gauthenticator_config.inc.php

@@ -1,7 +0,0 @@
-<?php
-// if true ALL users must have 2-steps active
-$rcmail_config['force_enrollment_users'] = false;
-
-// whitelist, CIDR format available
-// NOTE: we need to use .0 IP to define LAN because the class CIDR have a issue about that (we can't use 129.168.1.2/24, for example)
-$rcmail_config['whitelist'] = array('192.168.1.0/24', '::1', '192.168.0.9');

roles/webmail/tasks/roundcube.yml

@@ -102,13 +102,6 @@
     group=www-data
     mode=0644
 
-- name: Install Google 2-factor authentication plugin configuration
-  copy: src=var_www_roundcube_plugins_twofactor_gauthenticator_config.inc.php
-    dest=/var/www/roundcube/plugins/twofactor_gauthenticator/config.inc.php
-    owner=root
-    group=www-data
-    mode=0644
-
 - name: Configure Apache for Roundcube
   template: src=etc_apache2_sites-available_roundcube.j2
     dest=/etc/apache2/sites-available/roundcube.conf

roles/webmail/templates/var_www_roundcube_config_config.inc.j2

@@ -81,7 +81,6 @@ $config['plugins'] = array(
     'archive',
     'zipdownload',
     'managesieve',
-    'twofactor_gauthenticator',
     'carddav',
 );