diff options
| author | Halfwalker <deano-gitea@areyes.com> | 2024-12-23 08:03:18 -0700 |
|---|---|---|
| committer | Nicholas Johnson <mail@nicholasjohnson.ch> | 2025-01-29 00:00:00 +0000 |
| commit | d34a33b99625daf0cd71957d3b1f2cd4d981c459a871df197bda05e540c1337d (patch) | |
| tree | ce24108550e960fa76752f6524f7af7b61403f3ca5872fb5cce652485f112927 /README.md | |
| parent | 07bee9d586d26386e74b880b703854eca6ea56078834900a8d03dbfd3840d623 (diff) | |
| download | ansible-role-google-authenticator-d34a33b99625daf0cd71957d3b1f2cd4d981c459a871df197bda05e540c1337d.tar.gz ansible-role-google-authenticator-d34a33b99625daf0cd71957d3b1f2cd4d981c459a871df197bda05e540c1337d.zip | |
Improve wording about nullok parameter
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 6 |
1 files changed, 3 insertions, 3 deletions
@@ -8,7 +8,7 @@ https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-auth It will create a `~/.google_authenticator` if required, and will NOT alter or remove any existing version. -It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this. +It will update `/etc/ssh/sshd_config.d` and `/etc/pam.d/sshd` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this. ## Configuration @@ -18,9 +18,9 @@ Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true` ### Allowing no-token logins when ~/.google_authenticator does not exist -Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** +Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets adds **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** -With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist +With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist. If not enabled (no **nullok** param) then users can NOT login until that `~/.google_authenticator` secret file is created. ### Pre-populating Google Authenticator secrets |