From 9cdb5bbeaf8412b8931beb206431eb897fcfc6b40e02dd763d2d4068382550b5 Mon Sep 17 00:00:00 2001 From: Halfwalker Date: Sat, 21 Dec 2024 18:37:42 -0700 Subject: Remove per-user force_auth - just have global google_force_auth --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 737b5f5..452d575 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,10 @@ It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for a ## Configuration +### Forcing use of Google Authenticator + +Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true`. This will ensure that TOTP code entry is required regardless of use of SSH key for login. This creates a `/etc/ssh/sshd_config.d/71-google_auth.conf` and modifies `/etc/pam.d/sshd` to comment out the **@include common-auth** line. + To pre-populate the TOTP secret there are two locations to place the information. * Place them into `defaults/main.yml` under the **google_auth_config** variable @@ -19,7 +23,6 @@ The format is as follows | Variable | Description | Required ? | | :--- | :--- | :--- | | name: | The inventory_hostname for this block | Required | -| force_auth: | Force token for ALL ssh connections for this host | Optional | | label: | Label for the otpauth: url for the QR code | Optional | | issuer: | Issuer for the otpauth: url for the QR code | Optional | | secret: | Standard `.google_authenticator` secret info | Required | @@ -30,7 +33,6 @@ The Optional keys have default values in `defaults/main.yml` # 1st line of secret can be 16 or 26 chars vault_google_auth_config: - name: host1.example.com - force_auth: false label: "Mailsys%20{{ inventory_hostname_short }}:{{ username }}" issuer: "Example%20Corp%20Mailsys" secret: | @@ -45,7 +47,6 @@ vault_google_auth_config: 23387673 16670568 - name: hosty.somewhere.com - force_auth: false secret: | MVXECANUVTIQ2647HK3S35FM3A " RATE_LIMIT 3 30 1734051365 -- cgit v1.2.3