Ansible Galaxy role cesnet.yubikeys that sets up second factor authentication for sudo using hardware USB tokens Yubikeys.
Adds a PAM module for sudo that calls Yubico servers to validate entered one-time code.
Use "--tags config" to run only config.
- yubikey_id and yubikey_key - unique values obtained from https://upgrade.yubico.com/getapikey/
- yubikey_users - mapping from lognames to hashes with name, yubikey code and ssh key, see example below
- yubikey_lognames - list of login names to use from the yubikey_users hash, default is empty
- sudo_root_lognames - list of lognames that can sudo to root, default is empty
- other_sudo_user - another logname than root to which selected users can sudo, default is "perun"
- sudo_other_lognames - list of lognames that can sudo to the other user defined by other_sudo_user
In the following example, 4 users are defined, but only 3 of them will be created. Users tesla and einstein will be able to sudo to root, user volta will be able to sudo to user cthulhu.
- hosts: all
roles:
- role: cesnet.yubikeys
vars:
yubikey_id: "48695"
yubikey_key: "jGAqANjXDwthsKp0dnboFGmZ5ag="
yubikey_lognames: [ 'tesla', 'einstein', 'volta' ]
# list of lognames that can sudo to root
sudo_root_lognames: "{{ yubikey_lognames }}"
# another logname than root to which selected users can sudo
other_sudo_user: "cthulhu"
# list of lognames that can sudo to the other user defined by other_sudo_user
sudo_other_lognames: ['volta' ]
# list of users
## logname - unix login name
## name - full name will be put into /etc/passwd
## yubikeys - List of yubikey ids(first 12 characters of any code generated by the user's yubikey, will be put into /etc/yubico/authorized_yubikeys)
## sshkeys - List of public parts of ssh keys which will be put into $HOME/.ssh/authorized_keys
yubikey_users:
tesla:
name: Nikola Tesla
yubikeys:
- ccccccefghij
sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe9Rb2N5aq5qYAi8OCeQKlpOBJi/Ll2tlxqiD7Gan7wJrFBbrZIj8a5tOpHKTm61ldihxG7hnXkyEvbAX5vx/6lLagKaLFL3ysh3iH3ZxiXFYXfLklqrrCK2kuwdCIasMF4kJYzS/goLEGeqBkeJN8SvTj2THvzWcvsTZXIgXygzqiiSKlJao2v62EZv3Pi0eP8KhLrdYW2EcePBOKclLGYxdAX0k9KMJHJRecQhS2BtDLDL1rGoCCrw3Pd8689xovzYKC/ATnTZ89slA9HlrKyQjkjVeBX7WbRsjrgYKEDeqWZbdzjT9Nhg/Ftewbqh2V6p8OFQTftKUOmmPXlwAr
einstein:
name: Albert Einstein
yubikeys:
- ccccccghijkl
sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQiusTXxPGdXXzhHyU9wEb1i5PAdN/qBX8lVw90/yZo6LKBl+fO2QuRTQUxxRgk05puXYwWMF4IheoVBmWFzwClyH/Ox88Yq+WM4nGxIpzvoyUZQ0rRM7a0LfaLvDsJpkoMOr53LFfQtdTY7ZiKXsaTI1EmhHXVmfgFXDTu4IE2EBGUrKPj28+yD/5UuyybA/TfZJ6wW51M0QAaQy3n2xWY+K+aFfTJv2vQin2cIjIPMWfUoUCR2eYNbtZ/uHwXgJxK1W3PeeJhLjW8RXdfLiSOA3+8X5NCHGBs5BLdvieQjB0SYb0NqCc7scAlJV14MGlWdBYuczV2gvn2mnT4q3F
volta:
name: Alessandro Volta
yubikeys:
- ccccccfghijk
sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnkDzzBfCAgjxv4lZKZ744lPiIRbGhfnQFbSEmeU7ZlRn5zPK2r7Ur+T7I89YHly1nEVPoQ0O8elA7eDaHZ2jIUyYXbzVrYr+7dNSvoO+tqXoG1r5VuZM8jv9m55IFClV0NONqbrgDLRl771ZVqdMah10xPA9X5hv5O17LlDYWyP0j5tJ6M1Ua3t1oI+Gsx28xicJYuLSA5ixpb0b5vftlSvdz7OCC1ojKdTESV3dGifgmJ+B4OZu3ha/Ti6K+pIOYHNtg/yriI6AZNZyLG/L/x5EtE28XRBOr2auXuIlBwK1IWI9MtoSB6L8WjhHl+7WPQej50eL9keK22diIJen9
gauss:
name: Carl Friedrich Gauss
yubikeys:
- cccccclkjihg
sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgdleNFp+4o849ZNts1cluRtE8VPJCDgo9dllcScw/z3alhhmxXT8oQWG0XXzx3r0rfzfDIC0Lqw5xPEsX8yDLl4SeQzHyHycwM5773IBuN5EYrul+34aGHHawqFIksKpbS3ADMwHEd25tzHr1SzAX2vLt3a6RqFhfaW6YnVcMU3ZFOZGfyLmsFjCsIJ2XsIVhzhX8s13vy2jwC2uQ+rTzMMtIgXkx/UQ1mjr9dj/XtDNT3bPwvjVd7/N0BT6PL0H4hNH4jBAby9mRYGfON/LNTLyrUD280w4A5Zu1JGPl+VBxMjN83m1l5k9i5w6vDLU/7TRzAXATINlLIYwWH+1JIn the following example, PAM module is installed, but no users are created. Use this if users are managed by Perun.
- hosts: all
roles:
- role: cesnet.yubikeys
vars:
yubikey_id: "48695"
yubikey_key: "jGAqANjXDwthsKp0dnboFGmZ5ag="