diff options
| author | Halfwalker <deano-gitea@areyes.com> | 2024-12-21 18:41:43 -0700 |
|---|---|---|
| committer | Nicholas Johnson <mail@nicholasjohnson.ch> | 2025-01-29 00:00:00 +0000 |
| commit | 40489e5b26bc741b15bbea5cf2ee634880d40384393bdc319d23c482b89a62c8 (patch) | |
| tree | 3701e54b660fc89eded5541aab18cc94506d75cbc489ad17a3b9c4d06f3f2761 /README.md | |
| parent | 9cdb5bbeaf8412b8931beb206431eb897fcfc6b40e02dd763d2d4068382550b5 (diff) | |
| download | ansible-role-google-authenticator-40489e5b26bc741b15bbea5cf2ee634880d40384393bdc319d23c482b89a62c8.tar.gz ansible-role-google-authenticator-40489e5b26bc741b15bbea5cf2ee634880d40384393bdc319d23c482b89a62c8.zip | |
Add option for nullok on google_authenticator.so in /etc/pam.d/sshd
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -14,6 +14,12 @@ It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for a Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`. This will ensure that TOTP code entry is required regardless of use of SSH key for login. This creates a `/etc/ssh/sshd_config.d/71-google_auth.conf` and modifies `/etc/pam.d/sshd` to comment out the **@include common-auth** line. +### Allowing no-token logins when ~/.google_authenticator does not exist + +Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** + +With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist + To pre-populate the TOTP secret there are two locations to place the information. * Place them into `defaults/main.yml` under the **google_auth_config** variable |