diff options
| author | Halfwalker <deano-gitea@areyes.com> | 2024-12-14 15:23:42 -0700 |
|---|---|---|
| committer | Nicholas Johnson <mail@nicholasjohnson.ch> | 2025-01-29 00:00:00 +0000 |
| commit | e857ecddd90424302c31d342aba276d5c8ca9dab85eaecc69af55dd0bf5ba2e1 (patch) | |
| tree | 21a593fe9ea01c54d65f9e8e08923685cfe825db5a44386677677dbb958b7f68 /tasks | |
| parent | 86bd5e0eccec2453afd1ab11a1221d6e3f0e819ba8386b3edf50387f69ff9266 (diff) | |
| download | ansible-role-google-authenticator-e857ecddd90424302c31d342aba276d5c8ca9dab85eaecc69af55dd0bf5ba2e1.tar.gz ansible-role-google-authenticator-e857ecddd90424302c31d342aba276d5c8ca9dab85eaecc69af55dd0bf5ba2e1.zip | |
Some tasks needed become: yes
Diffstat (limited to 'tasks')
| -rw-r--r-- | tasks/main.yml | 62 |
1 files changed, 33 insertions, 29 deletions
diff --git a/tasks/main.yml b/tasks/main.yml index 3ccda8e..74e0a32 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,6 +35,7 @@ update_cache: true install_recommends: no name: "{{ google_auth_packages }}" + become: yes # # If google_auth_config is defined then use those values to build .google_authenticator etc. @@ -146,33 +147,36 @@ msg: "{{ google_auth_qrcode.stdout }}" -# Set pam to use google authenticator for ssh -# echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd -- name: Set pam to use google authenticator for ssh - ansible.builtin.lineinfile: - path: /etc/pam.d/sshd - insertafter: EOF - line: 'auth required pam_google_authenticator.so' - state: present - -- name: Modify sshd_config to use google authenticator - ansible.builtin.copy: - dest: /etc/ssh/sshd_config.d/70-google_auth.conf - content: | - # - # For google authenticator - # - ChallengeResponseAuthentication yes - -- name: Modify sshd_config to force use of google authenticator - ansible.builtin.copy: - dest: /etc/ssh/sshd_config.d/71-google_auth.conf - content: | - # - # For google authenticator to force use of token always - # - PasswordAuthentication no - # Only when global google_auth_force is true OR specific inventory_hostname has force_auth: true - when: google_auth_force == true or google_auth_config | selectattr('name', 'equalto', inventory_hostname) | selectattr('force_auth', 'equalto', true) | list | length > 0 - +- become: yes + block: + # Set pam to use google authenticator for ssh + # echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd + - name: Set pam to use google authenticator for ssh + ansible.builtin.lineinfile: + path: /etc/pam.d/sshd + insertafter: EOF + line: 'auth required pam_google_authenticator.so' + state: present + + - name: Modify sshd_config to use google authenticator + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/70-google_auth.conf + content: | + # + # For google authenticator + # + ChallengeResponseAuthentication yes + + - name: Modify sshd_config to force use of google authenticator + ansible.builtin.copy: + dest: /etc/ssh/sshd_config.d/71-google_auth.conf + content: | + # + # For google authenticator to force use of token always + # + PasswordAuthentication no + # Only when global google_auth_force is true OR specific inventory_hostname has force_auth: true + when: google_auth_force == true or google_auth_config | selectattr('name', 'equalto', inventory_hostname) | selectattr('force_auth', 'equalto', true) | list | length > 0 + # + # block system file updates |