39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
# Onboarding 2fa:
|
|
# Create a secret and authenticator using the tool in git:
|
|
# https://portal.dualinventive.com/git/devops/tools/src/branch/master/2fa
|
|
#
|
|
# In vars/users.yml:
|
|
# add for the user the following fields:
|
|
# secret: <<secret from the application above>>
|
|
# authenticator: << authenticator from the application above>>
|
|
#
|
|
# The secret and authenticator is the same value, but encoded in a different way
|
|
# secret is used by pam for 2fa
|
|
# authenticator is used for generating a QR-code.
|
|
#
|
|
# You can generate the QR-code using the following url:
|
|
# https://cdn.rawgit.com/Daplie/browser-authenticator/gh-pages/index.html
|
|
# or using the program:
|
|
# https://portal.dualinventive.com/git/devops/tools/src/branch/master/2fa/browser-authenticator (fork)
|
|
|
|
- include_vars: users.yml
|
|
|
|
- name: Install libpam-oath
|
|
apt: name=libpam-oath state=latest
|
|
become: true
|
|
- name: Install oathtool
|
|
apt: name=oathtool state=latest
|
|
become: true
|
|
|
|
- set_fact: auth_file=/etc/security/users.oath
|
|
|
|
- template: src=pamd-sshd.j2 dest=/etc/pam.d/sshd owner=root group=root mode=0600
|
|
notify:
|
|
- restart sshd
|
|
become: true
|
|
|
|
- template: src=users.oath.j2 dest={{ auth_file }} owner=root group=root mode=0600
|
|
notify:
|
|
- restart sshd
|
|
become: true
|