Parcourir la source

Remove Google Authenticator / Two-Factor Authentification

Thomas Buck il y a 5 ans
Parent
révision
183b80da8d

+ 0
- 1
README.md Voir le fichier

@@ -39,7 +39,6 @@ What do you get if you point Sovereign at a server? All kinds of good stuff!
39 39
 -   Firewall management via [Uncomplicated Firewall (ufw)](https://wiki.ubuntu.com/UncomplicatedFirewall).
40 40
 -   Intrusion prevention via [fail2ban](http://www.fail2ban.org/) and rootkit detection via [rkhunter](http://rkhunter.sourceforge.net).
41 41
 -   SSH configuration preventing root login and insecure password authentication
42
--   [RFC6238](http://tools.ietf.org/html/rfc6238) two-factor authentication compatible with [Google Authenticator](http://en.wikipedia.org/wiki/Google_Authenticator) and various hardware tokens
43 42
 -   Nightly backups to [Tarsnap](https://www.tarsnap.com/).
44 43
 -   Git hosting via [cgit](http://git.zx2c4.com/cgit/about/) and [gitolite](https://github.com/sitaramc/gitolite).
45 44
 -   Read-it-later via [Wallabag](https://www.wallabag.org/)

+ 0
- 40
roles/common/tasks/google_auth.yml Voir le fichier

@@ -1,40 +0,0 @@
1
----
2
-# Defines tasks applicable for Google Authenticator.
3
-
4
-- name: Ensure required packages are installed
5
-  apt: pkg={{ item }} state=present
6
-  with_items:
7
-    - libpam-google-authenticator
8
-    - libpam0g-dev
9
-    - libqrencode3
10
-  tags:
11
-    - dependencies
12
-
13
-- name: Update sshd config to enable challenge responses
14
-  lineinfile: dest=/etc/ssh/sshd_config
15
-              regexp=^ChallengeResponseAuthentication
16
-              line="ChallengeResponseAuthentication yes"
17
-              state=present
18
-  notify: restart ssh
19
-
20
-- name: Add Google authenticator to PAM
21
-  lineinfile: dest=/etc/pam.d/sshd
22
-              line="auth required pam_google_authenticator.so"
23
-              insertbefore=BOF
24
-              state=present
25
-
26
-- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
27
-  command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
28
-           creates=/home/{{ main_user_name }}/.google_authenticator
29
-  become: yes
30
-  become_user: "{{ main_user_name }}"
31
-  when: ansible_ssh_user != "vagrant"
32
-
33
-- name: Retrieve generated keys from server
34
-  fetch: src=/home/{{ main_user_name }}/.google_authenticator
35
-         dest=/tmp/sovereign-google-auth-files
36
-  when: ansible_ssh_user != "vagrant"
37
-
38
-- pause: seconds=5
39
-         prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
40
-  when: ansible_ssh_user != "vagrant"

+ 0
- 1
roles/common/tasks/main.yml Voir le fichier

@@ -72,5 +72,4 @@
72 72
 - include: ufw.yml tags=ufw
73 73
 - include: security.yml tags=security
74 74
 - include: ntp.yml tags=ntp
75
-- include: google_auth.yml tags=google_auth
76 75
 - include: postgres.yml

+ 0
- 1
roles/vpn/files/etc_pam.d_openvpn Voir le fichier

@@ -1 +0,0 @@
1
-auth required pam_google_authenticator.so

+ 0
- 4
roles/vpn/tasks/openvpn.yml Voir le fichier

@@ -143,10 +143,6 @@
143 143
   template: src=etc_openvpn_server.conf.j2 dest=/etc/openvpn/server.conf
144 144
   notify: restart openvpn
145 145
 
146
-- name: Copy OpenVPN PAM configuration file into place
147
-  copy: src=etc_pam.d_openvpn dest=/etc/pam.d/openvpn
148
-  notify: restart openvpn
149
-
150 146
 - name: Enable OpenVPN server systemd service unit
151 147
   service: name=openvpn@server enabled=yes
152 148
 

+ 1
- 1
roles/webmail/DESIGN.md Voir le fichier

@@ -10,7 +10,7 @@ The role installs roundcube from the source package released by the Roundcube te
10 10
 
11 11
 Roundcube is installed with sqlite3 for its persistence layer.  This eliminates dependency on a database server and likely improves performance given how little persistet data Roundcube keeps.  Roundcube automatically looks for the database file and intializes it if it is missing.  The file is kept on `/decrypted` since it contains user data, and the database will be backed up automatically if the tarsnap role is used.
12 12
 
13
-PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `twofactor_gauthentication` and `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
13
+PHP composer is used for downloading and installing plugins.  Configuration files are kept with sovereign.  The configuration files for `carddav` are not modified from their defaults.  I chose to do this so that maintainers could recognize when configuration files change in future plugin versions and decide whether or not to change new defaults.
14 14
 
15 15
 # Upgrade
16 16
 

+ 1
- 2
roles/webmail/files/var_www_roundcube_composer.json Voir le fichier

@@ -31,8 +31,7 @@
31 31
         "pear-pear.php.net/net_smtp": "~1.7.1",
32 32
         "pear-pear.php.net/crypt_gpg": "~1.4.2",
33 33
         "roundcube/net_sieve": "~1.5.0",
34
-        "alexandregz/twofactor_gauthenticator": "dev-master",
35
-	"roundcube/carddav": "dev-master"
34
+        "roundcube/carddav": "dev-master"
36 35
     },
37 36
     "require-dev": {
38 37
         "phpunit/phpunit": "*"

+ 0
- 7
roles/webmail/files/var_www_roundcube_plugins_twofactor_gauthenticator_config.inc.php Voir le fichier

@@ -1,7 +0,0 @@
1
-<?php
2
-// if true ALL users must have 2-steps active
3
-$rcmail_config['force_enrollment_users'] = false;
4
-
5
-// whitelist, CIDR format available
6
-// NOTE: we need to use .0 IP to define LAN because the class CIDR have a issue about that (we can't use 129.168.1.2/24, for example)
7
-$rcmail_config['whitelist'] = array('192.168.1.0/24', '::1', '192.168.0.9');

+ 0
- 7
roles/webmail/tasks/roundcube.yml Voir le fichier

@@ -102,13 +102,6 @@
102 102
     group=www-data
103 103
     mode=0644
104 104
 
105
-- name: Install Google 2-factor authentication plugin configuration
106
-  copy: src=var_www_roundcube_plugins_twofactor_gauthenticator_config.inc.php
107
-    dest=/var/www/roundcube/plugins/twofactor_gauthenticator/config.inc.php
108
-    owner=root
109
-    group=www-data
110
-    mode=0644
111
-
112 105
 - name: Configure Apache for Roundcube
113 106
   template: src=etc_apache2_sites-available_roundcube.j2
114 107
     dest=/etc/apache2/sites-available/roundcube.conf

+ 0
- 1
roles/webmail/templates/var_www_roundcube_config_config.inc.j2 Voir le fichier

@@ -81,7 +81,6 @@ $config['plugins'] = array(
81 81
     'archive',
82 82
     'zipdownload',
83 83
     'managesieve',
84
-    'twofactor_gauthenticator',
85 84
     'carddav',
86 85
 );
87 86
 

Chargement…
Annuler
Enregistrer