-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
62 lines (52 loc) · 1.73 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
#2FA AUTH
# Based on this: https://www.linux.com/blog/securing-ssh-two-factor-authentication-using-google-authenticator
- name: Install the dependency modules
apt: name={{ item }} state=latest update_cache=yes
with_items:
- libpam0g-dev
- make
- gcc
- wget
- autoconf
- libqrencode-dev
- libqrencode3
- libtool
- name: Clone the Google Authenticator module
git:
repo=git://github.com:google/google-authenticator.git
dest=/srv/checkout
clone=no
update=no
- name: Run ./bootstrap.sh
command: ./bootstrap.sh
chdir=google-authenticator/libpam
- name: Configure the libpam module
command: ./configure
chdir=google-authenticator/libpam
- name: Install the new module
command: make && make install
chdir=google-authenticator/libpam
# Now you can run google-authenticator
- name: Configure google-authenticator for the first time
command: google-authenticator --time-based --disallow-reuse --force --qr-mode=UTF8 --rate-limit=3 --rate-time=30 --step-size=30 --window-size=3
register: auth_info
- name: Tell pam.d that Google Authenticator is required for authentication
lineinfile:
line="auth required pam_google_authenticator.so"
state=present
insertafter=EOF
dest=/etc/pam.d/sshd
- name: Tell sshd to use the ChallengeResponseAuthentication
lineinfile:
dest=/etc/ssh/sshd_config
line="ChallengeResponseAuthentication yes"
state=present
regexp="ChallengeResponseAuthentication no"
- name: Restart the SSH service
service: name=ssh state=restarted
- name: Get ASCII art and replace the login header with it
get_url:
url=http://artii.herokuapp.com/make?text=Secured+with+2FA&font=isometric3
dest=/etc/motd
- debug: var=auth_info.stdout