Skip to content

Instantly share code, notes, and snippets.

@tulir tulir/defaults.yml
Last active Mar 5, 2017

Embed
What would you like to do?
Ansible role for libpam_u2f
u2f_keys:
- Output of `pamu2fcfg` without the username prefix
- Supports multiple entries (add a colon after each entry except the last)
u2f_rules_path: https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules
u2f_rules_checksum: sha256:c9998bb23f4c87d1469e5754f321138ad164e67d734dcb6a3ff2520f8f683448
- name: Download U2F USB rules
become: true
get_url:
url: "{{ u2f_rules_path }}"
dest: /etc/udev/rules.d/70-u2f.rules
checksum: "{{ u2f_rules_checksum }}"
register: u2f_rules_fetch
- name: Create U2F user config directory
file:
path: "{{ ansible_env.HOME }}/.config/Yubico"
state: directory
force: yes
recurse: yes
- name: Insert U2F keys
template:
src: path/to/u2f_keys.j2
dest: "{{ ansible_env.HOME }}/.config/Yubico/u2f_keys"
force: yes
- name: Configure PAM sudo (part 1)
become: true
lineinfile:
state: present
line: "#@include common-auth"
regexp: "@include common-auth"
dest: /etc/pam.d/sudo
- name: Configure PAM sudo (part 2)
become: true
blockinfile:
state: present
block: |
auth [success=2 default=ignore] pam_u2f.so cue
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
insertbefore: "@include common-account"
dest: /etc/pam.d/sudo
- name: Configure PAM common-auth
become: true
lineinfile:
state: present
line: auth required pam_u2f.so cue
insertbefore: auth.+pam_unix\.so
dest: /etc/pam.d/common-auth
{{ ansible_user }}:{% for u2f_key in u2f_keys %}{{ u2f_key }}{% endfor %}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.