Added Google Authenticator 2FA logins

roles/common/tasks/google_auth.yml

@@ -0,0 +1,25 @@
+---
+# Defines tasks applicable for Google Authenticator
+
+- name: Ensure required packages are installed
+  apt: pkg={{ item }} state=present
+  with_items:
+    - libqrencode3
+    - libpam-dev
+    #- libpam-google-authenticator    wasn't available in wheezy
+
+- name: Download Google authenticator pam module
+  get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2 dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2
+
+- name: Extract Google authenticator
+  command: tar xjf libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2 chdir=/root creates=/root/libpam-google-authenticator-{{ google_auth_version }}
+
+- name: Install Google authenticator
+  command: make install chdir=/root/libpam-google-authenticator-{{ google_auth_version }} creates=/usr/local/bin/google-authenticator
+
+- name: Update sshd config to enable challenge responses
+  lineinfile: dest=/etc/ssh/sshd_config regexp=^ChallengeResponseAuthentication line="ChallengeResponseAuthentication yes" state=present
+  notify: restart ssh
+
+- name: Add Google authenticator to PAM
+  lineinfile: dest=/etc/pam.d/sshd line="auth required pam_google_authenticator.so" insertbefore=BOF state=present

roles/common/tasks/main.yml

@@ -48,6 +48,7 @@
   notify: restart apache
 
 - include: encfs.yml tags=encfs
+- include: google_auth.yml tags=google_auth
 - include: users.yml tags=users
 - include: ssl.yml tags=ssl
 - include: ufw.yml tags=ufw

vars/defaults.yml

@@ -27,6 +27,9 @@ ntp_servers:
   # - 2.north-america.pool.ntp.org
   # - 3.north-america.pool.ntp.org
 
+# google authenticator
+google_auth_version: 1.0
+
 # database
 db_admin_username: 'postgres'
 # db_admin_password: (required)