aboutsummaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md6
1 files changed, 3 insertions, 3 deletions
diff --git a/README.md b/README.md
index 99837c4..542af05 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-auth
It will create a `~/.google_authenticator` if required, and will NOT alter or remove any existing version.
-It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this.
+It will update `/etc/ssh/sshd_config.d` and `/etc/pam.d/sshd` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this.
## Configuration
@@ -18,9 +18,9 @@ Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`
### Allowing no-token logins when ~/.google_authenticator does not exist
-Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok**
+Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets adds **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok**
-With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist
+With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist. If not enabled (no **nullok** param) then users can NOT login until that `~/.google_authenticator` secret file is created.
### Pre-populating Google Authenticator secrets