Feature/2fa auth #123
Feature/2fa auth #123
Conversation
This adds the PAM module package, changes the SSHd configuration and the PAM configuration on RedHat and Debian systems to allow TOTP based second factor auth to work with SSH keys.
This will remove password auth from RedHat distros to ensure that only key based auth and 2FA codes can be used to authenticate users over SSH.
…ng into feature/2fa_auth
I had accidently placed this under an SELinux block rather than at the end of it as I had planned. Now placed before the SELinux block to be clear.
This will allow the current tests to run as they are failing because this is not defined. A better step would be to add some tests.
|
I am on vacation right now and will have a look afterwards. |
| lineinfile: "dest=/etc/pam.d/sshd state=present insertbefore=BOF regexp='pam_google_authenticator.so$' line='auth required pam_google_authenticator.so'" | ||
| notify: restart sshd | ||
|
|
||
| - name: Remove password auth from PAM |
There was a problem hiding this comment.
I haven't tested it yet, but is it possible to use the pamd module instead of replace and lineinfile?
There was a problem hiding this comment.
Interesting. I will go and have a look at the module and see if it would work. I was trying to ensure I was not bringing in any additional external dependencies but using a module for this would be nicer.
There was a problem hiding this comment.
Mostly done, I could not see how to remove the include with the Ansible PAM support.
| # Enable PAM to enforce system wide rules | ||
| UsePAM {{ 'yes' if ssh_use_pam else 'no' }} | ||
| {% if ssh_google_auth %} | ||
| AuthenticationMethods publickey,keyboard-interactive |
There was a problem hiding this comment.
Can you add a comment before this line indicating that it's here because of 2fa?
There was a problem hiding this comment.
Happy to, will get this pushed up later today.
Using the Ansible PAM support rather than regex based line editing for two out of the three PAM changes required for 2FA support. The last change does not appear to be supported by the Ansible PAM support unless I have missed something from the documentation.
This makes it clear why the ordering is public key then keyboard interactive.
|
I have made the requested changes. Let me know if there is anything else I can do to improve this. Thanks for the help. |
|
Thanks for rebasing, sorry that I did not react sooner. :( Could you remove this line: https://github.com/dev-sec/ansible-ssh-hardening/pull/123/files#diff-2444ad0870f91f17ca6c2a5e96b26823R66 Then I'll merge! |
2 participants
Adding Google Authenticator second factor auth to SSH.
This requires password auth to be disabled and SSH key based auth to be used along side the 2FA support.
If this is acceptable I would be happy to replicate the work in the Puppet and Chef modules that you do too.