Last active
March 5, 2017 23:05
-
-
Save tulir/1c440ca01db2b5d42fed3c3c6c93c70f to your computer and use it in GitHub Desktop.
Ansible role for libpam_u2f
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
u2f_keys: | |
- Output of `pamu2fcfg` without the username prefix | |
- Supports multiple entries (add a colon after each entry except the last) | |
u2f_rules_path: https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules | |
u2f_rules_checksum: sha256:c9998bb23f4c87d1469e5754f321138ad164e67d734dcb6a3ff2520f8f683448 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- name: Download U2F USB rules | |
become: true | |
get_url: | |
url: "{{ u2f_rules_path }}" | |
dest: /etc/udev/rules.d/70-u2f.rules | |
checksum: "{{ u2f_rules_checksum }}" | |
register: u2f_rules_fetch | |
- name: Create U2F user config directory | |
file: | |
path: "{{ ansible_env.HOME }}/.config/Yubico" | |
state: directory | |
force: yes | |
recurse: yes | |
- name: Insert U2F keys | |
template: | |
src: path/to/u2f_keys.j2 | |
dest: "{{ ansible_env.HOME }}/.config/Yubico/u2f_keys" | |
force: yes | |
- name: Configure PAM sudo (part 1) | |
become: true | |
lineinfile: | |
state: present | |
line: "#@include common-auth" | |
regexp: "@include common-auth" | |
dest: /etc/pam.d/sudo | |
- name: Configure PAM sudo (part 2) | |
become: true | |
blockinfile: | |
state: present | |
block: | | |
auth [success=2 default=ignore] pam_u2f.so cue | |
auth [success=1 default=ignore] pam_unix.so nullok_secure | |
auth requisite pam_deny.so | |
auth required pam_permit.so | |
auth optional pam_cap.so | |
insertbefore: "@include common-account" | |
dest: /etc/pam.d/sudo | |
- name: Configure PAM common-auth | |
become: true | |
lineinfile: | |
state: present | |
line: auth required pam_u2f.so cue | |
insertbefore: auth.+pam_unix\.so | |
dest: /etc/pam.d/common-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{{ ansible_user }}:{% for u2f_key in u2f_keys %}{{ u2f_key }}{% endfor %} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment