ezri/homelab-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
homelab-ansible/playbooks/roles/2fa/templates/second-factor.j2

12 lines
713 B
Django/Jinja
Raw Blame History

#%PAM-1.0 -*- mode: conf-space; tab-width: 8 -*-
# Only prompt for security key if this is a local session.
auth [success=ignore default=2] pam_access.so accessfile=/etc/security/remote-switch.access.conf
auth [success=2 default=ignore] pam_u2f.so cue origin=pam://{{ ansible_nodename }} appid=pam://{{ ansible_nodename }} userpresence=1
# This is a moderate security risk due to the nullok, but the alternative is locking ourselves out of remote machines.
# This turns 2FA into an opt-in system.
auth [success=1 default=ignore] pam_google_authenticator.so nullok
# We could change this to 'pam_faillock.so authfail', but idk that that's worth it.
auth [default=die] pam_deny.so
auth optional pam_permit.so
Reference in New Issue View Git Blame Copy Permalink