Browse Source

The .google_authenticator file has to be generated by the user that is going to attempt to use it. Also, -W doesn't seem to work (results an in INVALID_WINDOW error in /var/log/auth.log), so use -w 1 to allow for a single concurrent token

Justin Plock 10 years ago
parent
commit
2d751ab680
No account linked to committer's email address
1 changed files with 4 additions and 5 deletions
  1. 4
    5
      roles/common/tasks/google_auth.yml

+ 4
- 5
roles/common/tasks/google_auth.yml View File

34
               insertbefore=BOF
34
               insertbefore=BOF
35
               state=present
35
               state=present
36
 
36
 
37
-- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with no concurrently valid codes for default user
38
-  command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=NONE -r 3 -R 30 -W --secret=/home/{{ main_user_name }}/.google_authenticator
37
+- name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
38
+  command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
39
            creates=/home/{{ main_user_name }}/.google_authenticator
39
            creates=/home/{{ main_user_name }}/.google_authenticator
40
-
41
-- name: Fix permissions on generated file
42
-  file: state=file path=/home/{{ main_user_name }}/.google_authenticator owner={{ main_user_name }} group={{ main_user_name }}
40
+  sudo: yes
41
+  sudo_user: "{{ main_user_name }}"
43
 
42
 
44
 - name: Retrieve generated keys from server
43
 - name: Retrieve generated keys from server
45
   fetch: src=/home/{{ main_user_name }}/.google_authenticator
44
   fetch: src=/home/{{ main_user_name }}/.google_authenticator

Loading…
Cancel
Save