0
0
mirror of https://github.com/saltstack-formulas/users-formula.git synced 2024-11-28 02:57:55 +01:00

readd 2fa pam enforcement

This commit is contained in:
Bohdan Kmit 2015-07-01 19:15:31 +03:00
parent a467d2a80f
commit d0bbbda8aa
2 changed files with 17 additions and 0 deletions

View File

@ -58,6 +58,7 @@ users:
options: options:
- "StrictHostKeyChecking yes" - "StrictHostKeyChecking yes"
google_2fa: True
google_auth: google_auth:
ssh: | ssh: |
SOMEGAUTHHASHVAL SOMEGAUTHHASHVAL

View File

@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}:
- user: root - user: root
- group: {{ users.root_group }} - group: {{ users.root_group }}
- mode: 600 - mode: 600
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
{%- if 'google_auth' in user %}
{%- for svc in user['google_auth'] %}
{%- if user.get('google_2fa', True) %}
users_googleauth-pam-{{ svc }}-{{ name }}:
file.replace:
- name: /etc/pam.d/{{ svc }}
- pattern: "^@include common-auth"
- repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
- unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
- backup: .bak
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}