From 28531a4f0749c61e5c0af85ef97bd6a9af07a46f Mon Sep 17 00:00:00 2001 From: Matej Focko Date: Fri, 12 Jul 2024 15:02:18 +0200 Subject: [PATCH] feat(system/yubikey): implement PAM auth for Yubikey OTP Signed-off-by: Matej Focko --- roles/system/yubikey/defaults/main.yml | 9 +++++++++ roles/system/yubikey/tasks/install.yml | 18 ++++++++++++++++++ roles/system/yubikey/tasks/main.yml | 12 ++++++++++++ .../yubikey/templates/yubikey-sufficient | 2 ++ 4 files changed, 41 insertions(+) create mode 100644 roles/system/yubikey/defaults/main.yml create mode 100644 roles/system/yubikey/tasks/install.yml create mode 100644 roles/system/yubikey/tasks/main.yml create mode 100644 roles/system/yubikey/templates/yubikey-sufficient diff --git a/roles/system/yubikey/defaults/main.yml b/roles/system/yubikey/defaults/main.yml new file mode 100644 index 0000000..5148817 --- /dev/null +++ b/roles/system/yubikey/defaults/main.yml @@ -0,0 +1,9 @@ +--- +# Pair of ID and token that are used for verifying the Yubikey OTP against the +# Yubico servers + +# Yubikey App ID for the PAM module +system_yubikey_id: None + +# Yubikey App Token for the PAM module +system_yubikey_key: None diff --git a/roles/system/yubikey/tasks/install.yml b/roles/system/yubikey/tasks/install.yml new file mode 100644 index 0000000..fc7923b --- /dev/null +++ b/roles/system/yubikey/tasks/install.yml @@ -0,0 +1,18 @@ +--- +- name: Install ‹pam_yubico› on Fedora/EPEL + ansible.builtin.package: + name: pam_yubico + state: present + when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ] + +- name: Enable PPA on Ubuntu + ansible.builtin.apt_repository: + repo: ppa:yubico/stable + state: present + when: ansible_distribution == "Ubuntu" + +- name: Install ‹libpam-yubico› on Ubuntu + ansible.builtin.package: + name: libpam-yubico + state: present + when: ansible_distribution == "Ubuntu" diff --git a/roles/system/yubikey/tasks/main.yml b/roles/system/yubikey/tasks/main.yml new file mode 100644 index 0000000..e5495e1 --- /dev/null +++ b/roles/system/yubikey/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Install packages + ansible.builtin.include_tasks: install.yml + tags: install + +- name: Set up PAM + ansible.builtin.template: + src: templates/yubikey-sufficient + dest: /etc/pam.d/yubikey-sufficient + mode: 0644 + owner: root + group: root diff --git a/roles/system/yubikey/templates/yubikey-sufficient b/roles/system/yubikey/templates/yubikey-sufficient new file mode 100644 index 0000000..d04fa9f --- /dev/null +++ b/roles/system/yubikey/templates/yubikey-sufficient @@ -0,0 +1,2 @@ +#%PAM-1.0 +auth sufficient pam_yubico.so id={{ system_yubikey_id }} key={{ system_yubikey_key }}