45 lines
1.2 KiB
Org Mode
45 lines
1.2 KiB
Org Mode
:PROPERTIES:
|
|
:ID: cce/pam_u2f
|
|
:ROAM_REFS: https://developers.yubico.com/pam-u2f/
|
|
:ROAM_ALIASES: pam-u2f
|
|
:END:
|
|
#+TITLE: Unlock Computer With Yubikey
|
|
#+filetags: :CCE:
|
|
|
|
#+PROPERTY: header-args :mkdirp yes :results none
|
|
#+PROPERTY: header-args:yaml :tangle roles/endpoint/tasks/pam-u2f.yml
|
|
|
|
,#+ARCOLOGY_KEY: cce/pam-u2f
|
|
,#+ARCOLOGY_ALLOW_CRAWL: t
|
|
|
|
I can use =pam-u2f= to unlock my computer with a Yubikey that I keep on my belt.
|
|
|
|
#+begin_src yaml
|
|
- name: pam-u2f and configurator is installed
|
|
dnf:
|
|
name:
|
|
- pam-u2f
|
|
- pamu2fcfg
|
|
state: installed
|
|
tags:
|
|
- security
|
|
- pam
|
|
- yubikey
|
|
#+end_src
|
|
|
|
=pamu2fcfg= is used to register the key on each host, I invoke it [[shell:pamu2fcfg > ~/.config/Yubico/u2f_keys &]] because my hostname doesn't change based on anything like DHCP or so. With that file in place, =pam= can be instructed to load =pam_u2f= and treat a success state from it as sufficient to unlock the system:
|
|
|
|
#+begin_src yaml
|
|
- name: install pam configuration
|
|
lineinfile:
|
|
insertbefore: "auth.*sufficient.*pam_unix.so"
|
|
path: /etc/pam.d/system-auth
|
|
state: present
|
|
line: "auth sufficient pam_u2f.so cue"
|
|
regexp: "auth sufficient pam_u2f.so.*"
|
|
tags:
|
|
- security
|
|
- pam
|
|
- yubikey
|
|
#+end_src
|