cesnet.yubikeys

Panoramica Versioni Approfondimenti

cesnet.yubikeys

===============

This is an Ansible Galaxy role called cesnet.yubikeys which helps set up two-factor authentication for sudo using Yubikey USB tokens.

It adds a PAM (Pluggable Authentication Module) for sudo that checks the one-time code entered by the user with Yubico servers.

To run only the configuration part, use the command "--tags config."

Requirements

Role Variables

  • yubikey_id and yubikey_key: Unique values obtained from Yubico API key generator.
  • yubikey_users: A mapping of usernames to details such as full name, Yubikey code, and SSH key. See the example below.
  • yubikey_lognames: A list of usernames from the yubikey_users mapping to use. Default is empty.
  • sudo_root_lognames: A list of usernames that can use sudo to switch to the root user. Default is empty.
  • other_sudo_user: Another username (not root) that selected users can use sudo to access. Default is "perun."
  • sudo_other_lognames: A list of usernames that can sudo to the user defined by other_sudo_user.

Example Playbook

In this example, there are 4 users defined, but only 3 will be created. Users tesla and einstein can use sudo to become root, while user volta can use sudo to switch to user cthulhu.

- hosts: all
  roles:
    - role: cesnet.yubikeys
      vars:
        yubikey_id: "48695"
        yubikey_key: "jGAqANjXDwthsKp0dnboFGmZ5ag="
        yubikey_lognames: [ 'tesla', 'einstein', 'volta' ]
        sudo_root_lognames: "{{ yubikey_lognames }}"
        other_sudo_user: "cthulhu"
        sudo_other_lognames: ['volta' ]
        
        yubikey_users:
          tesla:
            name: Nikola Tesla
            yubikeys: 
              - ccccccefghij
            sshkeys: 
              - ssh-rsa AAAAB3... (SSH Key)
          einstein:
            name: Albert Einstein
            yubikeys: 
              - ccccccghijkl
            sshkeys: 
              - ssh-rsa AAAAB3... (SSH Key)
          volta:
            name: Alessandro Volta
            yubikeys: 
              - ccccccfghijk
            sshkeys: 
              - ssh-rsa AAAAB3... (SSH Key)
          gauss:
            name: Carl Friedrich Gauss
            yubikeys: 
              - cccccclkjihg
            sshkeys: 
              - ssh-rsa AAAAB3... (SSH Key)

In this next example, the PAM module is installed, but no users are created. Use this setup if users are managed by another system like Perun.

- hosts: all
  roles:
    - role: cesnet.yubikeys
      vars:
        yubikey_id: "48695"
        yubikey_key: "jGAqANjXDwthsKp0dnboFGmZ5ag="
Informazioni sul progetto

Managing access to root by yubikeys.

role security yubikeys
Installa
ansible-galaxy install cesnet.yubikeys
GitHub repository
2 stelle
0 fork
0 problemi aperti
Licenza
bsd-2-clause
Download
123
Proprietario
CESNET
Czech Educational and Research Network