From d34a33b99625daf0cd71957d3b1f2cd4d981c459a871df197bda05e540c1337d Mon Sep 17 00:00:00 2001 From: Halfwalker Date: Mon, 23 Dec 2024 08:03:18 -0700 Subject: Improve wording about nullok parameter --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 99837c4..542af05 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-auth It will create a `~/.google_authenticator` if required, and will NOT alter or remove any existing version. -It will update `/etc/ssh/sshd_config.d` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this. +It will update `/etc/ssh/sshd_config.d` and `/etc/pam.d/sshd` to ensure that a token is required for any ssh connection _without_ an ssh key. Connections _with_ an ssh key will not require a token, though this may be enabled so that tokens are *always* required. Set the global **google_auth_force** variable to _true_ or an individual host entry (see below) to enable this. ## Configuration @@ -18,9 +18,9 @@ Edit `defaults/main.yml` or override on cmdline to set `google_auth_force: true` ### Allowing no-token logins when ~/.google_authenticator does not exist -Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets the **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** +Edit `defaults/main.yml` or override on cmdline to set `google_auth_nullok: true`. This sets adds **nullok** parameter on the `/etc/pamd./sshd` line for **auth required pam_google_authenticator.so nullok** -With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist +With this set users can still login with password only and no TOTP request if their `~/.google_authenticator` file does not exist. If not enabled (no **nullok** param) then users can NOT login until that `~/.google_authenticator` secret file is created. ### Pre-populating Google Authenticator secrets -- cgit v1.2.3