thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
300 Commits
1 Branch
Tree: aa02a19972
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'aa02a19972'
${ noResults }
sovereign/roles/common/tasks/google_auth.yml

google_auth.yml 2.2KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 
  1. ---

  2. # Defines tasks applicable for Google Authenticator

  3. 

  4. - name: Ensure required packages are installed

  5.   apt: pkg={{ item }} state=present

  6.   with_items:

  7.     - libqrencode3

  8.     - libpam-dev

  9.     #- libpam-google-authenticator    wasn't available in wheezy

  10. 

  11. - name: Download Google authenticator pam module

  12.   get_url: url=https://google-authenticator.googlecode.com/files/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2

  13.            dest=/root/libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2

  14. 

  15. - name: Extract Google authenticator

  16.   command: tar xjf libpam-google-authenticator-{{ google_auth_version }}-source.tar.bz2

  17.            chdir=/root creates=/root/libpam-google-authenticator-{{ google_auth_version }}

  18. 

  19. - name: Install Google authenticator

  20.   command: make install

  21.            chdir=/root/libpam-google-authenticator-{{ google_auth_version }}

  22.            creates=/usr/local/bin/google-authenticator

  23. 

  24. - name: Update sshd config to enable challenge responses

  25.   lineinfile: dest=/etc/ssh/sshd_config

  26.               regexp=^ChallengeResponseAuthentication

  27.               line="ChallengeResponseAuthentication yes"

  28.               state=present

  29.   notify: restart ssh

  30. 

  31. - name: Add Google authenticator to PAM

  32.   lineinfile: dest=/etc/pam.d/sshd

  33.               line="auth required pam_google_authenticator.so"

  34.               insertbefore=BOF

  35.               state=present

  36. 

  37. - name: Generate a timed-based, no reuse, rate-limited (3 logins per 30 seconds) with no concurrently valid codes for default user

  38.   command: /usr/local/bin/google-authenticator -t -f -d --label="{{ main_user_name }}@{{ domain }}" --qr-mode=NONE -r 3 -R 30 -W --secret=/home/{{ main_user_name }}/.google_authenticator

  39.            creates=/home/{{ main_user_name }}/.google_authenticator

  40. 

  41. - name: Fix permissions on generated file

  42.   file: state=file path=/home/{{ main_user_name }}/.google_authenticator owner={{ main_user_name }} group={{ main_user_name }}

  43. 

  44. - name: Retrieve generated keys from server

  45.   fetch: src=/home/{{ main_user_name }}/.google_authenticator

  46.          dest=/tmp/sovereign-google-auth-files

  47. 

  48. - pause: seconds=5

  49.          prompt="Your Google Authentication keys are in /tmp/sovereign-google-auth-files. Press any key to continue..."