Add option for nullok on google_authenticator.so in /etc/pam.d/sshd

1 files changed, 16 insertions, 1 deletions

diff --git a/tasks/main.yml b/tasks/main.yml
index 882f8ad..3d47915 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -163,12 +163,27 @@
   block:
     # Set pam to use google authenticator for ssh
     # echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
+    # echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/sshd
+    # The nullok allows regular login if ~/.google_authenticator doesn't exist
+    # Putting at beginning of file means it will ask for token FIRST, then password
+    # This prevents someone from being able to attempt passwords until/unless they have token
     - name: Set pam to use google authenticator for ssh
       ansible.builtin.lineinfile:
         path: /etc/pam.d/sshd
+        insertafter: BOF
+        line: 'auth required pam_google_authenticator.so{% if google_auth_nullok %} nullok{% endif %}'
+        state: present
+
+    # Must have at least one SUCCESS answer - nullok makes sshd answer IGNORE
+    # Adding pam_permit to end ensure that sshd module will answer SUCCESS if nothing else does
+    # https://github.com/google/google-authenticator-libpam#nullok
+    - name: Set pam to use pam_permit if nullok is defined
+      ansible.builtin.lineinfile:
+        path: /etc/pam.d/sshd
         insertafter: EOF
-        line: 'auth required pam_google_authenticator.so'
+        line: 'auth required pam_permit.so'
         state: present
+      when: google_auth_nullok
 
     - name: Modify sshd_config to use google authenticator
       ansible.builtin.copy: