From d0bbbda8aa22a0016bebb1214d25e4c9914b867a Mon Sep 17 00:00:00 2001
From: Bohdan Kmit <bkmit@maytech.net>
Date: Wed, 1 Jul 2015 19:15:31 +0300
Subject: [PATCH] readd 2fa pam enforcement

---
 pillar.example       |  1 +
 users/googleauth.sls | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/pillar.example b/pillar.example
index d6e0033..d96ea29 100644
--- a/pillar.example
+++ b/pillar.example
@@ -58,6 +58,7 @@ users:
         options:
           - "StrictHostKeyChecking yes"
 
+    google_2fa: True
     google_auth:
       ssh: |
         SOMEGAUTHHASHVAL
diff --git a/users/googleauth.sls b/users/googleauth.sls
index 7342132..9e6a9ff 100644
--- a/users/googleauth.sls
+++ b/users/googleauth.sls
@@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}:
     - user: root
     - group: {{ users.root_group }}
     - mode: 600
+
+{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if 'google_auth' in user %}
+{%- for svc in user['google_auth'] %}
+{%- if user.get('google_2fa', True) %}
+users_googleauth-pam-{{ svc }}-{{ name }}:
+  file.replace:
+    - name: /etc/pam.d/{{ svc }}
+    - pattern: "^@include common-auth"
+    - repl: "auth       [success=done new_authtok_reqd=done default=die]   pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
+    - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
+    - backup: .bak
+{%- endif %}
+{%- endfor %}
+{%- endif %}
+{%- endfor %}