Configure PAM to enable two-factor authentication with yubikey. Optional is display locking when the yubikey is remove.
Attention: Please read and understand the documentation of the yubi2factor_enforce variable below. This role can lock you completely out of your system.
The role installs on host:
* pam_yubico
* yubikey-personalization-gui
This role is designed to work with a YubiKey from Yubico, Inc..
The YubiKey must be configured with following configurations:
- One slot must be configured in SHA/HMAC challenge-response mode
- The serial number must be readable
- challenge-response must be usable without button push
Per default the role only enable single login with YubiKey or password. After you checked the correct functionality of both logins, once with password and once with YubiKey, you can enable the two-factor condition.
If the the YubiKey login don't work you will have no option to login in your system after enabling the two-factor condition.
yubi2factor_enforce: false
This role comes with a automatic screen-saver lock of gnome shell user sessions when the YubiKey is removed from the machine. To disable this behavior set the following variable to false.
yubi2factor_lock_screen_on_remove: true
None.
- hosts: all
remote_user: root
vars_files:
- yubi2factor.yml
roles:
- martin-v.yubi2factor
TODO
TODO
- Complete the documentation
- Document ~/yubikey_dont_lock_on_next_remove
- Write
moretests - Add CI for the role
- Implement better solution for multiple user
MIT
This role was created in 2016 by Martin V.