From d47405fc0c348d53fe711715bc8e85e62fb482ce Mon Sep 17 00:00:00 2001
From: hofmann <Jessica.Hofmann@slub-dresden.de>
Date: Wed, 12 Apr 2023 15:28:09 +0200
Subject: [PATCH] finish tasks and structuring

---
 enable_2fa.yml                           |  8 +++++++
 files/sshd_config                        |  7 ++++++
 roles/configure_pam/tasks/main.yml       | 12 ++++++++++
 roles/configure_sshd_conf/tasks/main.yml | 30 ++++++++++++++++++++++++
 roles/install_googleauth/tasks/main.yml  |  5 ++++
 roles/main.yml                           |  5 ++++
 6 files changed, 67 insertions(+)
 create mode 100644 enable_2fa.yml
 create mode 100644 files/sshd_config
 create mode 100644 roles/configure_pam/tasks/main.yml
 create mode 100644 roles/configure_sshd_conf/tasks/main.yml
 create mode 100644 roles/install_googleauth/tasks/main.yml
 create mode 100644 roles/main.yml

diff --git a/enable_2fa.yml b/enable_2fa.yml
new file mode 100644
index 0000000..3fd7b45
--- /dev/null
+++ b/enable_2fa.yml
@@ -0,0 +1,8 @@
+---
+- hosts: 
+  become: true
+  
+  roles:
+  - configure_pam
+  - configure_sshd_conf
+  - install_googleauth
\ No newline at end of file
diff --git a/files/sshd_config b/files/sshd_config
new file mode 100644
index 0000000..0f8532f
--- /dev/null
+++ b/files/sshd_config
@@ -0,0 +1,7 @@
+UsePAM yes
+ 
+Challenge ResponseAuthentication yes
+ 
+PermitRootLogin yes
+ 
+AuthenticationMethods publickey,keyboard-interactive
\ No newline at end of file
diff --git a/roles/configure_pam/tasks/main.yml b/roles/configure_pam/tasks/main.yml
new file mode 100644
index 0000000..f33ad6b
--- /dev/null
+++ b/roles/configure_pam/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: insert lines in /etc/pam.d/sshd
+  blockinfile:
+    path: /etc/pam.d/sshd
+    block: |
+      # two-factor authentication via Google Authenticator 
+      auth required pam_google_authenticator.so no_increment_hotp nullok
+  
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted
\ No newline at end of file
diff --git a/roles/configure_sshd_conf/tasks/main.yml b/roles/configure_sshd_conf/tasks/main.yml
new file mode 100644
index 0000000..245916e
--- /dev/null
+++ b/roles/configure_sshd_conf/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: check if sshd_config.d directory exists
+  stat:
+    path: "{{ item }}"
+  register: folder_stats
+  with_items:
+  - ["/etc/ssh/sshd_config.d"]
+    
+- name: insert lines if directory doesn't exists
+  with_items: "{{ folder_stats.results }}"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: present
+    line: "AllowUsers      slub root \n AllowGroups     ssh"
+  when: item.stat.exists == false
+
+- name: create extra sshd_config
+  with_items: "{{ folder_stats.results }}"
+  template:
+    src: ./files/sshd_config
+    dest: /etc/ssh/sshd_config.d/sshd.config
+    owner: root
+    group: root
+    mode: '0644'
+  when: item.stat.exists == true
+
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted
\ No newline at end of file
diff --git a/roles/install_googleauth/tasks/main.yml b/roles/install_googleauth/tasks/main.yml
new file mode 100644
index 0000000..e557650
--- /dev/null
+++ b/roles/install_googleauth/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Install google_authenticator
+  package:
+    name: libpam-google-authenticator
+    state: present
\ No newline at end of file
diff --git a/roles/main.yml b/roles/main.yml
new file mode 100644
index 0000000..e79447f
--- /dev/null
+++ b/roles/main.yml
@@ -0,0 +1,5 @@
+---
+
+- import_tasks: "configure_pam.yml"
+- import_tasks: "configure_sshd_conf.yml"
+- import_tasks: "install_googleauth.yml"
\ No newline at end of file
-- 
GitLab