aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md6
-rw-r--r--defaults/main.yml7
2 files changed, 7 insertions, 6 deletions
diff --git a/README.md b/README.md
index 99837c4..542af05 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-auth
It will create a `~/.google_authenticator` if required, and will NOT alter or remove any existing version.
-It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this.
+It will update `/etc/ssh/sshd_config.d` and `/etc/pam.d/sshd` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this.
## Configuration
@@ -18,9 +18,9 @@ Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`
### Allowing no-token logins when ~/.google_authenticator does not exist
-Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok**
+Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets adds **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok**
-With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist
+With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist. If not enabled (no **nullok** param) then users can NOT login until that `~/.google_authenticator` secret file is created.
### Pre-populating Google Authenticator secrets
diff --git a/defaults/main.yml b/defaults/main.yml
index 964d155..0eb2f7a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,9 +3,10 @@
# User can be overridden by a vault variable or from hosts file entry or ansible cmdline
username: "{{ vault_username | default(ansible_user_id) }}"
-# Set the nullok parameter for pam_google_authenticator.so in /etc/pam.d/sshd
-# When set, this allows password logins if no ~/.google_authenticator exists
-# If not set, then can NOT login until ~/.google_authenticator is created
+# This enables/disables adding the nullok parameter to the pam_google_authenticator.so
+# line in /etc/pam.d/sshd
+# When enabled, nullok allows password logins even if no ~/.google_authenticator exists
+# If false (no 'nullok' param), then users can NOT login until their ~/.google_authenticator is created
google_auth_nullok: false
# Use google authenticator config from vault if it's there