readd 2fa pam enforcement
This commit is contained in:
Bohdan Kmit
parent
a467d2a80f
commit
d0bbbda8aa
@ -58,6 +58,7 @@ users:
|
|||||||
options:
|
options:
|
||||||
- "StrictHostKeyChecking yes"
|
- "StrictHostKeyChecking yes"
|
||||||
|
|
||||||
|
google_2fa: True
|
||||||
google_auth:
|
google_auth:
|
||||||
ssh: |
|
ssh: |
|
||||||
SOMEGAUTHHASHVAL
|
SOMEGAUTHHASHVAL
|
||||||
|
|||||||
@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}:
|
|||||||
- user: root
|
- user: root
|
||||||
- group: {{ users.root_group }}
|
- group: {{ users.root_group }}
|
||||||
- mode: 600
|
- mode: 600
|
||||||
|
|
||||||
|
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
|
||||||
|
{%- if 'google_auth' in user %}
|
||||||
|
{%- for svc in user['google_auth'] %}
|
||||||
|
{%- if user.get('google_2fa', True) %}
|
||||||
|
users_googleauth-pam-{{ svc }}-{{ name }}:
|
||||||
|
file.replace:
|
||||||
|
- name: /etc/pam.d/{{ svc }}
|
||||||
|
- pattern: "^@include common-auth"
|
||||||
|
- repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
|
||||||
|
- unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
|
||||||
|
- backup: .bak
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user