hurricanehrndz.pam_yubikey

Panoramica Versioni Approfondimenti

hurricanehrndz.yubikey

Build Status Galaxy Role MIT licensed

This role sets up and configures the Yubico PAM module (libpam-yubico). It includes two extra PAM configuration files tested with the standard "common-auth" on Ubuntu. One file allows regular Unix authentication, while the other skips it. It also updates the sshd PAM configuration to ensure that only users in the yubikey group, with a UID of 1000 or more, who provide a valid OTP from an authorized Yubikey, and the correct account password, can log in. The sudo PAM configuration is modified similarly, but doesn't require the account password.

Requirements

Role Variables

The following variables are taken from other roles or the global scope (like hostvars or group vars), and are needed for any changes to be applied to the targeted host/hosts.

  • yubikey_api_id (number) - Yubico API ID.
  • yubikey_api_key (string) - Yubico API Key.

Role Switches

By default, this role installs and modifies PAM configs so the SSH daemon requires both Yubico OTP and a password for successful login. This creates a three-step verification process for users in the yubikey group. For sudo access, this role replaces the password requirement with Yubico OTP. The default settings can be adjusted with the following variables.

yubikey_sshd_and_pass

Default is true, meaning both Yubico OTP and password are needed for successful login. Set to false to only require Yubico OTP. This changes sshd to require the methods specified by this flag along with those in sshd_config (certificate).

yubikey_sudo_and_pass

Default is false, allowing only Yubico OTP for sudo access. Set to true to require both Yubico OTP and the password for sudo permissions.

yubikey_sudo_chal_rsp

Default is false, meaning Challenge Response Authentication is not enabled. Set to true to allow sudo access via Yubico Challenge Response authentication.

yubikey_users

A list of users to configure for Yubico OTP and Challenge Response authentication. Check role defaults for an example.

Dependencies

None.

Example Playbook

---
- hosts: all
  vars:
    yubikey_api_id: 1
    yubikey_api_key: "testkey"
  pre-tasks:
    - name: Update repo cache
      action: >
        {{ ansible_pkg_mgr }} update_cache=yes
  tasks:
    - name: Run pam-yubikey role
      include_role:
        name: hurricanehrndz.yubikey

License

MIT

Author Information

Carlos Hernandez | e-mail

Informazioni sul progetto

Ansible role to install and configure yubico pam module

role pam yubikey
Installa
ansible-galaxy install hurricanehrndz.pam_yubikey
GitHub repository
10 stelle
3 fork
0 problemi aperti
Licenza
mit
Download
3.8k
Proprietario
Carlos Hernandez
Software Mage/Wizard/Developer @Yelp | Technology fanatic with an unquenchable thirst for knowledge.