thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
455 Commits
1 Branch
Tree: c55437d341
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c55437d341'
${ noResults }
sovereign/roles/common/tasks/google_auth.yml

google_auth.yml 2.2KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 
  1. ---

  2. # Defines tasks applicable for Google Authenticator

  3. 

  4. - name: Ensure required packages are installed

  5.   apt: pkg={{ item }} state=present

  6.   with_items:

  7.     #- libpam-google-authenticator    wasn't available in wheezy

  8.     - libpam0g-dev

  9.     - libqrencode3

  10. 

  11. - name: Download Google authenticator pam module

  12.   get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2

  13.            dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2

  14. 

  15. - name: Extract Google authenticator

  16.   command: tar xjf libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2

  17.            chdir=/root creates=/root/libpam-google-authenticator-{{ google_auth_version }}

  18. 

  19. - name: Install Google authenticator

  20.   command: make install

  21.            chdir=/root/libpam-google-authenticator-{{ google_auth_version }}

  22.            creates=/usr/local/bin/google-authenticator

  23. 

  24. - name: Update sshd config to enable challenge responses

  25.   lineinfile: dest=/etc/ssh/sshd_config

  26.               regexp=^ChallengeResponseAuthentication

  27.               line="ChallengeResponseAuthentication yes"

  28.               state=present

  29.   notify: restart ssh

  30. 

  31. - name: Add Google authenticator to PAM

  32.   lineinfile: dest=/etc/pam.d/sshd

  33.               line="auth required pam_google_authenticator.so"

  34.               insertbefore=BOF

  35.               state=present

  36. 

  37. - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user

  38.   command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator

  39.            creates=/home/{{ main_user_name }}/.google_authenticator

  40.   sudo: yes

  41.   sudo_user: "{{ main_user_name }}"

  42.   when: ansible_ssh_user != "vagrant"

  43. 

  44. - name: Retrieve generated keys from server

  45.   fetch: src=/home/{{ main_user_name }}/.google_authenticator

  46.          dest=/tmp/sovereign-google-auth-files

  47.   when: ansible_ssh_user != "vagrant"

  48. 

  49. - pause: seconds=5

  50.          prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."

  51.   when: ansible_ssh_user != "vagrant"