diff options
| author | Halfwalker <deano-gitea@areyes.com> | 2024-12-23 08:03:18 -0700 |
|---|---|---|
| committer | Nicholas Johnson <mail@nicholasjohnson.ch> | 2025-01-29 00:00:00 +0000 |
| commit | d34a33b99625daf0cd71957d3b1f2cd4d981c459a871df197bda05e540c1337d (patch) | |
| tree | ce24108550e960fa76752f6524f7af7b61403f3ca5872fb5cce652485f112927 | |
| parent | 07bee9d586d26386e74b880b703854eca6ea56078834900a8d03dbfd3840d623 (diff) | |
| download | ansible-role-google-authenticator-d34a33b99625daf0cd71957d3b1f2cd4d981c459a871df197bda05e540c1337d.tar.gz ansible-role-google-authenticator-d34a33b99625daf0cd71957d3b1f2cd4d981c459a871df197bda05e540c1337d.zip | |
Improve wording about nullok parameter
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | defaults/main.yml | 7 |
2 files changed, 7 insertions, 6 deletions
@@ -8,7 +8,7 @@ https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-auth It will create a `~/.google_authenticator` if required, and will NOT alter or remove any existing version. -It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this. +It will update `/etc/ssh/sshd_config.d` and `/etc/pam.d/sshd` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this. ## Configuration @@ -18,9 +18,9 @@ Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true` ### Allowing no-token logins when ~/.google_authenticator does not exist -Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** +Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets adds **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** -With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist +With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist. If not enabled (no **nullok** param) then users can NOT login until that `~/.google_authenticator` secret file is created. ### Pre-populating Google Authenticator secrets diff --git a/defaults/main.yml b/defaults/main.yml index 964d155..0eb2f7a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,9 +3,10 @@ # User can be overridden by a vault variable or from hosts file entry or ansible cmdline username: "{{ vault_username | default(ansible_user_id) }}" -# Set the nullok parameter for pam_google_authenticator.so in /etc/pam.d/sshd -# When set, this allows password logins if no ~/.google_authenticator exists -# If not set, then can NOT login until ~/.google_authenticator is created +# This enables/disables adding the nullok parameter to the pam_google_authenticator.so +# line in /etc/pam.d/sshd +# When enabled, nullok allows password logins even if no ~/.google_authenticator exists +# If false (no 'nullok' param), then users can NOT login until their ~/.google_authenticator is created google_auth_nullok: false # Use google authenticator config from vault if it's there |