Ansible role for libpam_u2f

defaults.yml

u2f_keys:
  - Output of `pamu2fcfg` without the username prefix
  - Supports multiple entries (add a colon after each entry except the last)

u2f_rules_path: https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules
u2f_rules_checksum: sha256:c9998bb23f4c87d1469e5754f321138ad164e67d734dcb6a3ff2520f8f683448

tasks.yaml

- name: Download U2F USB rules
  become: true
  get_url:
    url: "{{ u2f_rules_path }}"
    dest: /etc/udev/rules.d/70-u2f.rules
    checksum: "{{ u2f_rules_checksum }}"
  register: u2f_rules_fetch

- name: Create U2F user config directory
  file:
    path: "{{ ansible_env.HOME }}/.config/Yubico"
    state: directory
    force: yes
    recurse: yes

- name: Insert U2F keys
  template:
    src: path/to/u2f_keys.j2
    dest: "{{ ansible_env.HOME }}/.config/Yubico/u2f_keys"
    force: yes

- name: Configure PAM sudo (part 1)
  become: true
  lineinfile:
    state: present
    line: "#@include common-auth"
    regexp: "@include common-auth"
    dest: /etc/pam.d/sudo

- name: Configure PAM sudo (part 2)
  become: true
  blockinfile:
    state: present
    block: |
      auth [success=2 default=ignore] pam_u2f.so cue
      auth [success=1 default=ignore] pam_unix.so nullok_secure
      auth requisite pam_deny.so
      auth required pam_permit.so
      auth optional pam_cap.so
    insertbefore: "@include common-account"
    dest: /etc/pam.d/sudo

- name: Configure PAM common-auth
  become: true
  lineinfile:
    state: present
    line: auth required pam_u2f.so cue
    insertbefore: auth.+pam_unix\.so
    dest: /etc/pam.d/common-auth

u2f_keys.j2

{{ ansible_user }}:{% for u2f_key in u2f_keys %}{{ u2f_key }}{% endfor %}