feat(system/yubikey): implement PAM auth for Yubikey OTP
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
918f7c8fbf
commit
28531a4f07
4 changed files with 41 additions and 0 deletions
9
roles/system/yubikey/defaults/main.yml
Normal file
9
roles/system/yubikey/defaults/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
# Pair of ID and token that are used for verifying the Yubikey OTP against the
|
||||||
|
# Yubico servers
|
||||||
|
|
||||||
|
# Yubikey App ID for the PAM module
|
||||||
|
system_yubikey_id: None
|
||||||
|
|
||||||
|
# Yubikey App Token for the PAM module
|
||||||
|
system_yubikey_key: None
|
18
roles/system/yubikey/tasks/install.yml
Normal file
18
roles/system/yubikey/tasks/install.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- name: Install ‹pam_yubico› on Fedora/EPEL
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: pam_yubico
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution in [ "AlmaLinux", "CentOS", "Fedora" ]
|
||||||
|
|
||||||
|
- name: Enable PPA on Ubuntu
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
repo: ppa:yubico/stable
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
|
- name: Install ‹libpam-yubico› on Ubuntu
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: libpam-yubico
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution == "Ubuntu"
|
12
roles/system/yubikey/tasks/main.yml
Normal file
12
roles/system/yubikey/tasks/main.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- name: Install packages
|
||||||
|
ansible.builtin.include_tasks: install.yml
|
||||||
|
tags: install
|
||||||
|
|
||||||
|
- name: Set up PAM
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: templates/yubikey-sufficient
|
||||||
|
dest: /etc/pam.d/yubikey-sufficient
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
2
roles/system/yubikey/templates/yubikey-sufficient
Normal file
2
roles/system/yubikey/templates/yubikey-sufficient
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth sufficient pam_yubico.so id={{ system_yubikey_id }} key={{ system_yubikey_key }}
|
Loading…
Reference in a new issue