Created
March 6, 2017 15:29
-
-
Save JJediny/2e285ef47f956827ef6b390bdca0b66b to your computer and use it in GitHub Desktop.
Playbook from GSA D2D team for installing Google Authenticator on Jumpbox
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: WARNING! | |
| debug: | |
| msg: | |
| - "*************************WARNING!*************************" | |
| - Further execution of playbook will lock down hosts with MFA. | |
| - Temporay MFA codes will be provided upon completion. | |
| - If you DO NOT want to enable MFA at this time, cancel execution now! | |
| - name: Pausing for 10 seconds...see previous message! | |
| wait_for: | |
| delay: 10 | |
| # Path and state used as arbitrary way to create pause. | |
| path: /foo | |
| state: absent | |
| - name: Install PAM packages | |
| yum: | |
| pkg: "{{ item }}" | |
| state: installed | |
| with_items: | |
| - pam | |
| - pam-devel | |
| - name: Install auto tools | |
| yum: | |
| pkg: "{{ item }}" | |
| state: installed | |
| with_items: | |
| - autoconf | |
| - automake | |
| - libtool | |
| - name: Install git | |
| yum: | |
| name: git | |
| - name: Clone Google Authenticator repo | |
| git: | |
| repo: "{{ google_authenticator_source }}" | |
| dest: "{{ mfa_temp_path }}" | |
| update: yes | |
| # Google Authenticator build borrows heavily from https://github.com/mikejonesey/openvpn-2fa/blob/3646afa4b42ef44e58a6d5f646bb297cea50b54b/tasks/main_sub.yml#L113. | |
| - name: Config and install Google Authenticator | |
| shell: "{{ item }}" | |
| become: true | |
| args: | |
| chdir: "{{ mfa_temp_path }}" | |
| with_items: | |
| - autoreconf --install | |
| - ./configure | |
| - make | |
| - make install | |
| - name: Copy PAM module to correct path | |
| copy: | |
| src: /usr/local/lib/security/pam_google_authenticator.so | |
| dest: /usr/lib64/security/ | |
| remote_src: yes | |
| - name: Update PAM config file, 1 of 2 | |
| lineinfile: | |
| dest: /etc/pam.d/sshd | |
| regexp: "^auth substack password-auth" | |
| line: "#auth substack password-auth" | |
| - name: Update PAM config file, 2 of 2 | |
| blockinfile: | |
| dest: /etc/pam.d/sshd | |
| block: | | |
| auth required pam_google_authenticator.so | |
| state: present | |
| - name: Update ssh daemon config, 1 of 2 | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: ChallengeResponseAuthentication no | |
| line: ChallengeResponseAuthentication yes | |
| - name: Update ssh daemon config, 2 of 2 | |
| blockinfile: | |
| dest: /etc/ssh/sshd_config | |
| block: | | |
| AuthenticationMethods publickey,keyboard-interactive:pam | |
| state: present | |
| - name: Restart sshd service | |
| service: | |
| name: sshd | |
| state: restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment