| 123456789101112131415161718192021222324252627282930313233343536373839 |
- ---
- # Defines tasks applicable for Google Authenticator
- # Ubuntu trusty version, uses standard libpam-google-authenticator package
-
- - name: Ensure required packages are installed
- apt: pkg={{ item }} state=present
- with_items:
- - libpam-google-authenticator
- - libpam0g-dev
- - libqrencode3
-
- - name: Update sshd config to enable challenge responses
- lineinfile: dest=/etc/ssh/sshd_config
- regexp=^ChallengeResponseAuthentication
- line="ChallengeResponseAuthentication yes"
- state=present
- notify: restart ssh
-
- - name: Add Google authenticator to PAM
- lineinfile: dest=/etc/pam.d/sshd
- line="auth required pam_google_authenticator.so"
- insertbefore=BOF
- state=present
-
- - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with one concurrently valid code for default user
- command: /usr/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=ANSI -r 3 -R 30 -w 1 --secret=/home/{{ main_user_name }}/.google_authenticator
- creates=/home/{{ main_user_name }}/.google_authenticator
- sudo: yes
- sudo_user: "{{ main_user_name }}"
- when: ansible_ssh_user != "vagrant"
-
- - name: Retrieve generated keys from server
- fetch: src=/home/{{ main_user_name }}/.google_authenticator
- dest=/tmp/sovereign-google-auth-files
- when: ansible_ssh_user != "vagrant"
-
- - pause: seconds=5
- prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."
- when: ansible_ssh_user != "vagrant"
|
