aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md4
-rw-r--r--tasks/main.yml4
2 files changed, 6 insertions, 2 deletions
diff --git a/README.md b/README.md
index 6ff0355..99837c4 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,8 @@
This role is to install google authenticator and integrate it into ssh so that TOTP tokens may be required for ssh connections.
+https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04
+
It will create a `~/.google_authenticator` if required, and will NOT alter or remove any existing version.
It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this.
@@ -20,6 +22,8 @@ Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true
With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist
+### Pre-populating Google Authenticator secrets
+
To pre-populate the TOTP secret there are two locations to place the information.
* Place them into `defaults/main.yml` under the **google_auth_config** variable
diff --git a/tasks/main.yml b/tasks/main.yml
index 3d47915..d01f776 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -49,7 +49,6 @@
# Only generate a new config if no existing local one
- when: not google_auth_config_local.stat.exists # No existing secret
block:
-
# Create new .google_authenticator from vault config if vault defined
- name: Create .google_authenticator file
ansible.builtin.copy:
@@ -86,7 +85,7 @@
#
-# Now we deal with a .google_authernticator, regardless of whether it already existed
+# Now we deal with a .google_authenticator, regardless of whether it already existed
# or was newly created, or was created from a vault config
#
- name: Pulling in /home/{{ username }}/.google_authenticator
@@ -130,6 +129,7 @@
ansible.builtin.set_fact:
google_scratch_codes: "{{ valid_lines | select('match', '^[0-9]{8}$') | list }}"
+# If label or issuer are not set in google_auth_config then the existing default values will be used
- name: Extract label for {{ inventory_hostname }} if it exists
ansible.builtin.set_fact:
google_auth_label: "{{ google_auth_config | selectattr('name', 'equalto', inventory_hostname) | map(attribute='label') | first }}"