feat(system/yubikey): implement PAM auth for Yubikey OTP

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-07-12 15:02:18 +02:00
parent 918f7c8fbf
commit 28531a4f07
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
4 changed files with 41 additions and 0 deletions

View file

@ -0,0 +1,9 @@
---
# Pair of ID and token that are used for verifying the Yubikey OTP against the
# Yubico servers
# Yubikey App ID for the PAM module
system_yubikey_id: None
# Yubikey App Token for the PAM module
system_yubikey_key: None

View file

@ -0,0 +1,18 @@
---
- name: Install pam_yubico on Fedora/EPEL
ansible.builtin.package:
name: pam_yubico
state: present
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
- name: Enable PPA on Ubuntu
ansible.builtin.apt_repository:
repo: ppa:yubico/stable
state: present
when: ansible_distribution == "Ubuntu"
- name: Install libpam-yubico on Ubuntu
ansible.builtin.package:
name: libpam-yubico
state: present
when: ansible_distribution == "Ubuntu"

View file

@ -0,0 +1,12 @@
---
- name: Install packages
ansible.builtin.include_tasks: install.yml
tags: install
- name: Set up PAM
ansible.builtin.template:
src: templates/yubikey-sufficient
dest: /etc/pam.d/yubikey-sufficient
mode: 0644
owner: root
group: root

View file

@ -0,0 +1,2 @@
#%PAM-1.0
auth sufficient pam_yubico.so id={{ system_yubikey_id }} key={{ system_yubikey_key }}