diff options
| author | Halfwalker <deano-gitea@areyes.com> | 2024-12-21 18:37:42 -0700 |
|---|---|---|
| committer | Nicholas Johnson <mail@nicholasjohnson.ch> | 2025-01-29 00:00:00 +0000 |
| commit | 9cdb5bbeaf8412b8931beb206431eb897fcfc6b40e02dd763d2d4068382550b5 (patch) | |
| tree | ab53f5e6a9821bc34cde94d9c81780e09dd92feb6b05b0f8b75ea11fdea7800d | |
| parent | ba21e8690e3fbf6ec2cbd13e93792e2e33d9d2c3b05bf862014db41480e5cd8f (diff) | |
| download | ansible-role-google-authenticator-9cdb5bbeaf8412b8931beb206431eb897fcfc6b40e02dd763d2d4068382550b5.tar.gz ansible-role-google-authenticator-9cdb5bbeaf8412b8931beb206431eb897fcfc6b40e02dd763d2d4068382550b5.zip | |
Remove per-user force_auth - just have global google_force_auth
| -rw-r--r-- | README.md | 7 | ||||
| -rw-r--r-- | defaults/main.yml | 2 |
2 files changed, 4 insertions, 5 deletions
@@ -10,6 +10,10 @@ It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for a ## Configuration +### Forcing use of Google Authenticator + +Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`. This will ensure that TOTP code entry is required regardless of use of SSH key for login. This creates a `/etc/ssh/sshd_config.d/71-google_auth.conf` and modifies `/etc/pam.d/sshd` to comment out the **@include common-auth** line. + To pre-populate the TOTP secret there are two locations to place the information. * Place them into `defaults/main.yml` under the **google_auth_config** variable @@ -19,7 +23,6 @@ The format is as follows | Variable | Description | Required ? | | :--- | :--- | :--- | | name: | The inventory_hostname for this block | Required | -| force_auth: | Force token for ALL ssh connections for this host | Optional | | label: | Label for the otpauth: url for the QR code | Optional | | issuer: | Issuer for the otpauth: url for the QR code | Optional | | secret: | Standard `.google_authenticator` secret info | Required | @@ -30,7 +33,6 @@ The Optional keys have default values in `defaults/main.yml` # 1st line of secret can be 16 or 26 chars vault_google_auth_config: - name: host1.example.com - force_auth: false label: "Mailsys%20{{ inventory_hostname_short }}:{{ username }}" issuer: "Example%20Corp%20Mailsys" secret: | @@ -45,7 +47,6 @@ vault_google_auth_config: 23387673 16670568 - name: hosty.somewhere.com - force_auth: false secret: | MVXECANUVTIQ2647HK3S35FM3A " RATE_LIMIT 3 30 1734051365 diff --git a/defaults/main.yml b/defaults/main.yml index 629fb98..cf8b7e9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,7 +8,6 @@ username: "{{ vault_username | default(ansible_user_id) }}" # NOTE: Be sure to use char encoding for spaces # vault_google_auth_config: # - name: host1.example.com -# force_auth: false # label: "Mailsys%20{{ inventory_hostname_short }}:{{ username }}" # issuer: "Example%20Corp%20Mailsys" # secret: | @@ -23,7 +22,6 @@ username: "{{ vault_username | default(ansible_user_id) }}" # 23387673 # 16670568 # - name: hosty.somewhere.com -# force_auth: false # secret: | # MVXECANUVTIQ2647HK3S35FM3A # " RATE_LIMIT 3 30 1734051365 |