readd 2fa pam enforcement

2015-07-01 19:15:31 +03:00 · 2015-07-01 19:15:31 +03:00 · d0bbbda8aa
commit d0bbbda8aa
parent a467d2a80f
2 changed files with 17 additions and 0 deletions
--- a/pillar.example
+++ b/pillar.example
@ -58,6 +58,7 @@ users:
        options:
          - "StrictHostKeyChecking yes"

+    google_2fa: True
    google_auth:
      ssh: |
        SOMEGAUTHHASHVAL
--- a/users/googleauth.sls
+++ b/users/googleauth.sls
@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}:
    - user: root
    - group: {{ users.root_group }}
    - mode: 600
+
+{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if 'google_auth' in user %}
+{%- for svc in user['google_auth'] %}
+{%- if user.get('google_2fa', True) %}
+users_googleauth-pam-{{ svc }}-{{ name }}:
+  file.replace:
+    - name: /etc/pam.d/{{ svc }}
+    - pattern: "^@include common-auth"
+    - repl: "auth       [success=done new_authtok_reqd=done default=die]   pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
+    - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
+    - backup: .bak
+{%- endif %}
+{%- endfor %}
+{%- endif %}
+{%- endfor %}