diff --git a/README.md b/README.md index a457cdb9..e8e14dcc 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) | |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client | |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server | +|`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA | |`ssh_banner` | `false` | `true` to print a banner on login | |`ssh_client_hardening` | `true` | `false` to stop harden the client | |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. | diff --git a/defaults/main.yml b/defaults/main.yml index 64849115..cfc23885 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -76,6 +76,9 @@ ssh_allow_agent_forwarding: false # sshd # false to disable pam authentication. ssh_use_pam: false # sshd +# false to disable google 2fa authentication +ssh_google_auth: false # sshd + # if specified, login is disallowed for user names that match one of the patterns. ssh_deny_users: '' # sshd diff --git a/tasks/main.yml b/tasks/main.yml index 8c53107e..daa2d5bd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -63,6 +63,47 @@ changed_when: false check_mode: no +<<<<<<< HEAD +# Install the 2FA packages and setup the config in PAM and SSH + +- block: + - name: Install google authenticator PAM module + apt: name=libpam-google-authenticator state=installed + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + + - name: Install google authenticator PAM module + yum: name=google-authenticator state=installed + when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' + + - name: Add google auth module to PAM + pamd: + name: sshd + type: auth + control: required + module_path: pam_google_authenticator.so + + - name: Remove password auth from PAM + pamd: + name: sshd + type: auth + control: substack + module_path: password-auth + state: absent + when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' + + - name: Remove password auth from PAM + replace: + dest: /etc/pam.d/sshd + regexp: '^@include common-auth' + replace: '#@include common-auth' + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + + when: + - ssh_use_pam + - ssh_challengeresponseauthentication + - ssh_google_auth + + - block: # only runs when selinux is installed - name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux package: name="{{item}}" state=installed @@ -84,8 +125,8 @@ failed_when: false changed_when: false check_mode: no - - # The following tasks only get executed when selinux is in state permisive or enforcing, UsePam is "no" and the ssh_password module is installed. + + # The following tasks only get executed when selinux is in state enforcing, UsePam is "no" and the ssh_password module is installed. # See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23 - block: - name: Create selinux custom policy drop folder diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2 index bbef2ad9..de0f23bc 100644 --- a/templates/opensshd.conf.j2 +++ b/templates/opensshd.conf.j2 @@ -127,6 +127,10 @@ HostbasedAuthentication no # Enable PAM to enforce system wide rules UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }} +{% if ssh_google_auth %} +# Force public key auth then ask for google auth code +AuthenticationMethods publickey,keyboard-interactive +{% endif %} # Disable password-based authentication, it can allow for potentially easier brute-force attacks. PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}