Merge pull request dev-sec#123 from lazzurs/feature/2fa_auth

Feature/2fa auth

README.md

@@ -51,6 +51,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
 |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
 |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
+|`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA |
 |`ssh_banner` | `false` | `true` to print a banner on login |
 |`ssh_client_hardening` | `true` | `false` to stop harden the client |
 |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |

defaults/main.yml

@@ -76,6 +76,9 @@ ssh_allow_agent_forwarding: false       # sshd
 # false to disable pam authentication.
 ssh_use_pam: false      # sshd
 
+# false to disable google 2fa authentication
+ssh_google_auth: false # sshd
+
 # if specified, login is disallowed for user names that match one of the patterns.
 ssh_deny_users: ''      # sshd
 

tasks/main.yml

@@ -63,6 +63,47 @@
   changed_when: false
   check_mode: no
 
+<<<<<<< HEAD
+# Install the 2FA packages and setup the config in PAM and SSH
+
+- block:
+  - name: Install google authenticator PAM module
+    apt: name=libpam-google-authenticator state=installed
+    when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+  - name: Install google authenticator PAM module
+    yum: name=google-authenticator state=installed
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+
+  - name: Add google auth module to PAM
+    pamd:
+      name: sshd
+      type: auth
+      control: required
+      module_path: pam_google_authenticator.so
+
+  - name: Remove password auth from PAM
+    pamd:
+      name: sshd
+      type: auth
+      control: substack
+      module_path: password-auth
+      state: absent
+    when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux'
+
+  - name: Remove password auth from PAM
+    replace:
+      dest: /etc/pam.d/sshd
+      regexp: '^@include common-auth'
+      replace: '#@include common-auth'
+    when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+  when: 
+    - ssh_use_pam 
+    - ssh_challengeresponseauthentication
+    - ssh_google_auth
+
+
 - block: # only runs when selinux is installed
   - name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux
     package: name="{{item}}" state=installed
@@ -84,8 +125,8 @@
     failed_when: false
     changed_when: false
     check_mode: no
-
-  # The following tasks only get executed when selinux is in state permisive or enforcing, UsePam is "no" and the ssh_password module is installed.
+            
+  # The following tasks only get executed when selinux is in state enforcing, UsePam is "no" and the ssh_password module is installed.
   # See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
   - block:
     - name: Create selinux custom policy drop folder

templates/opensshd.conf.j2

@@ -127,6 +127,10 @@ HostbasedAuthentication no
 
 # Enable PAM to enforce system wide rules
 UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
+{% if ssh_google_auth %}
+# Force public key auth then ask for google auth code
+AuthenticationMethods publickey,keyboard-interactive
+{% endif %}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}