From 40489e5b26bc741b15bbea5cf2ee634880d40384393bdc319d23c482b89a62c8 Mon Sep 17 00:00:00 2001 From: Halfwalker Date: Sat, 21 Dec 2024 18:41:43 -0700 Subject: Add option for nullok on google_authenticator.so in /etc/pam.d/sshd --- README.md | 6 ++++++ defaults/main.yml | 5 +++++ tasks/main.yml | 17 ++++++++++++++++- 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 452d575..6ff0355 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,12 @@ It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for a Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`. This will ensure that TOTP code entry is required regardless of use of SSH key for login. This creates a `/etc/ssh/sshd_config.d/71-google_auth.conf` and modifies `/etc/pam.d/sshd` to comment out the **@include common-auth** line. +### Allowing no-token logins when ~/.google_authenticator does not exist + +Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** + +With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist + To pre-populate the TOTP secret there are two locations to place the information. * Place them into `defaults/main.yml` under the **google_auth_config** variable diff --git a/defaults/main.yml b/defaults/main.yml index cf8b7e9..964d155 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,6 +3,11 @@ # User can be overridden by a vault variable or from hosts file entry or ansible cmdline username: "{{ vault_username | default(ansible_user_id) }}" +# Set the nullok parameter for pam_google_authenticator.so in /etc/pam.d/sshd +# When set, this allows password logins if no ~/.google_authenticator exists +# If not set, then can NOT login until ~/.google_authenticator is created +google_auth_nullok: false + # Use google authenticator config from vault if it's there # 1st line secret can be 16 or 26 chars # NOTE: Be sure to use char encoding for spaces diff --git a/tasks/main.yml b/tasks/main.yml index 882f8ad..3d47915 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -163,12 +163,27 @@ block: # Set pam to use google authenticator for ssh # echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd + # echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/sshd + # The nullok allows regular login if ~/.google_authenticator doesn't exist + # Putting at beginning of file means it will ask for token FIRST, then password + # This prevents someone from being able to attempt passwords until/unless they have token - name: Set pam to use google authenticator for ssh + ansible.builtin.lineinfile: + path: /etc/pam.d/sshd + insertafter: BOF + line: 'auth required pam_google_authenticator.so{% if google_auth_nullok %} nullok{% endif %}' + state: present + + # Must have at least one SUCCESS answer - nullok makes sshd answer IGNORE + # Adding pam_permit to end ensure that sshd module will answer SUCCESS if nothing else does + # https://github.com/google/google-authenticator-libpam#nullok + - name: Set pam to use pam_permit if nullok is defined ansible.builtin.lineinfile: path: /etc/pam.d/sshd insertafter: EOF - line: 'auth required pam_google_authenticator.so' + line: 'auth required pam_permit.so' state: present + when: google_auth_nullok - name: Modify sshd_config to use google authenticator ansible.builtin.copy: -- cgit v1.2.3