readd 2fa pam enforcement
This commit is contained in:
parent
a467d2a80f
commit
d0bbbda8aa
|
@ -58,6 +58,7 @@ users:
|
|||
options:
|
||||
- "StrictHostKeyChecking yes"
|
||||
|
||||
google_2fa: True
|
||||
google_auth:
|
||||
ssh: |
|
||||
SOMEGAUTHHASHVAL
|
||||
|
|
|
@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}:
|
|||
- user: root
|
||||
- group: {{ users.root_group }}
|
||||
- mode: 600
|
||||
|
||||
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
|
||||
{%- if 'google_auth' in user %}
|
||||
{%- for svc in user['google_auth'] %}
|
||||
{%- if user.get('google_2fa', True) %}
|
||||
users_googleauth-pam-{{ svc }}-{{ name }}:
|
||||
file.replace:
|
||||
- name: /etc/pam.d/{{ svc }}
|
||||
- pattern: "^@include common-auth"
|
||||
- repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
|
||||
- unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
|
||||
- backup: .bak
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
|
Loading…
Reference in New Issue