Git Product home page Git Product logo

ansible-yubikey's Introduction

hurricanehrndz.yubikey

Build Status Galaxy Role MIT licensed

This role installs and configures the Yubico PAM module (libpam-yubico). The configuration includes two additional PAM configuration files that have been tested against Ubuntu's unmodified "common-auth". One that skips over regular unix authentication and one that does not. Lastly, it modifies the sshd PAM config so only users who are in the yubikey group, have a UID >= 1000, supply a valid OTP from a user authorized yubikey and the correct account password are successfully authenticated. The sudo PAM config is modified to require the same for a successful authentication except there is no need for the account password.

Requirements

Role Variables

The following variables are read from other roles and/or the global scope (ie. hostvars, group vars, etc.), and are a prerequisite for any changes to occur on the targeted host/hosts.

  • yubikey_api_id (number) - Yubio API ID.
  • yubikey_api_key (string) - Yubio API Key.

Role Switches

By default this role installs and edits pam configs so the ssh daemon requires both Yubico OTP and password for successful authentication. This results in a three step verification process before granting users in the yubikey group access. For sudo verification, this role replaces password verification with Yubico OTP. The default deployment config can be tuned with the following variables.

yubikey_sshd_and_pass

Defaults to true, requiring Yubico OTP and password for successful authentication. Set to false, to require only Yubico OTP. Results in sshd requiring methods implied by flag in addition to those specified in sshd_config (certificate).

yubikey_sudo_and_pass

Defaults to false, requiring only Yubico OTP to be granted sudo privileges. Set to false, to guard sudo with Yubico OTP and password.

yubikey_sudo_chal_rsp

Defaults to false, Challenge Response Authentication Methods not enabled. Set to true, to grant sudo privileges with Yubico Challenge Response authentication.

yubikey_users

List of users to configure for Yubico OTP and Challenge Response authentication. See role defaults for an example.

Dependencies

None.

Example Playbook

---
- hosts: all
  vars:
    yubikey_api_id: 1
    yubikey_api_key: "testkey"
  pre-tasks:
    - name: Update repo cache
      action: >
        {{ ansible_pkg_mgr }} update_cache=yes
  tasks:
    - name: Run pam-yubikey role
      include_role:
        name: hurricanehrndz.yubikey

License

MIT

Author Information

Carlos Hernandez | e-mail

ansible-yubikey's People

Contributors

minicodemonkey avatar hurricanehrndz avatar

Stargazers

Geekix avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.