1 files changed, 25 insertions, 13 deletions

diff --git a/tasks/main.yml b/tasks/main.yml
index 8b889ad..96c2641 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -194,19 +194,31 @@
           #
           KbdInteractiveAuthentication yes
 
-    - name: Modify sshd_config to force use of google authenticator
-      ansible.builtin.copy:
-        dest: /etc/ssh/sshd_config.d/71-google_auth.conf
-        content: |
-          #
-          # For google authenticator to force use of token always
-          #
-          PasswordAuthentication no
-          # Only when global google_auth_force is true OR specific inventory_hostname has force_auth: true
-      when: >
-        google_auth_force == true or
-        (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | list | length > 0 and
-        (google_auth_config | selectattr('name', 'equalto', inventory_hostname) | first).get('force_auth') is true)
+    - name: Instruct PAM to prompt for a password by default
+      ansible.builtin.replace:
+        path: "/etc/pam.d/sshd"
+        regexp: '^#.*@include common-auth'
+        replace: '@include common-auth'
+
+    - when: google_auth_force == true
+      block:
+        - name: Modify sshd_config to force use of google authenticator
+          ansible.builtin.copy:
+            dest: /etc/ssh/sshd_config.d/71-google_auth.conf
+            content: |
+              #
+              # For google authenticator to force use of token always
+              # Only when global google_auth_force is true
+              #
+              AuthenticationMethods publickey,password publickey,keyboard-interactive
+
+        - name: Instruct PAM to not prompt for a password
+          ansible.builtin.replace:
+            path: "/etc/pam.d/sshd"
+            regexp: '^@include common-auth'
+            replace: '# @include common-auth'
+      #
+      # block google_auth_force
   #
   # block system file updates