diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -10,6 +10,10 @@ It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for a ## Configuration +### Forcing use of Google Authenticator + +Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`. This will ensure that TOTP code entry is required regardless of use of SSH key for login. This creates a `/etc/ssh/sshd_config.d/71-google_auth.conf` and modifies `/etc/pam.d/sshd` to comment out the **@include common-auth** line. + To pre-populate the TOTP secret there are two locations to place the information. * Place them into `defaults/main.yml` under the **google_auth_config** variable @@ -19,7 +23,6 @@ The format is as follows | Variable | Description | Required ? | | :--- | :--- | :--- | | name: | The inventory_hostname for this block | Required | -| force_auth: | Force token for ALL ssh connections for this host | Optional | | label: | Label for the otpauth: url for the QR code | Optional | | issuer: | Issuer for the otpauth: url for the QR code | Optional | | secret: | Standard `.google_authenticator` secret info | Required | @@ -30,7 +33,6 @@ The Optional keys have default values in `defaults/main.yml` # 1st line of secret can be 16 or 26 chars vault_google_auth_config: - name: host1.example.com - force_auth: false label: "Mailsys%20{{ inventory_hostname_short }}:{{ username }}" issuer: "Example%20Corp%20Mailsys" secret: | @@ -45,7 +47,6 @@ vault_google_auth_config: 23387673 16670568 - name: hosty.somewhere.com - force_auth: false secret: | MVXECANUVTIQ2647HK3S35FM3A " RATE_LIMIT 3 30 1734051365 |