From 40489e5b26bc741b15bbea5cf2ee634880d40384393bdc319d23c482b89a62c8 Mon Sep 17 00:00:00 2001
From: Halfwalker <deano-gitea@areyes.com>
Date: Sat, 21 Dec 2024 18:41:43 -0700
Subject: Add option for nullok on google_authenticator.so in /etc/pam.d/sshd

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 452d575..6ff0355 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,12 @@ It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for a
 
 Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`.  This will ensure that TOTP code entry is required regardless of use of SSH key for login.  This creates a `/etc/ssh/sshd_config.d/71-google_auth.conf` and modifies `/etc/pam.d/sshd` to comment out the **@include common-auth** line.
 
+### Allowing no-token logins when ~/.google_authenticator does not exist
+
+Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`.  This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok**
+
+With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist
+
 To pre-populate the TOTP secret there are two locations to place the information.
 
 * Place them into `defaults/main.yml` under the **google_auth_config** variable
-- 
cgit v1.2.3