Two factor authentication?

Adam Morris

unread,

Dec 15, 2014, 2:27:39 PM12/15/14

to ansible...@googlegroups.com

Greetings,

We are looking at using two factor authentication on our hosts. Is it possible to use Ansible as well or not? To be clear we're not using it for login but for sudo access.

Adam

Michael DeHaan

unread,

Dec 15, 2014, 2:39:49 PM12/15/14

to ansible...@googlegroups.com

Hi Adam,

Generally this is done from two-factoring your VPN for login purposes by gating a bastion host.

For sudo, it's not going to be well supported at this point, but might not be terrible -- I think it applying to multiple hosts might be.

Can you share more about the 2FA config you have?

--Michael

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/077d236e-eed2-4ae2-9bec-fa81635e2a64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Adam Morris

unread,

Dec 15, 2014, 5:50:58 PM12/15/14

to ansible...@googlegroups.com

On Monday, December 15, 2014 11:39:49 AM UTC-8, Michael DeHaan wrote:

Hi Adam,

Generally this is done from two-factoring your VPN for login purposes by gating a bastion host.

For sudo, it's not going to be well supported at this point, but might not be terrible -- I think it applying to multiple hosts might be.

Can you share more about the 2FA config you have?

What we currently have is a separate development environment for a joint venture, embedded within our network. This is a small segregated network with two ssh based bastion hosts... We are using 2FA for access to the bastion hosts, plus our admin machine. We also want to add 2FA for some su access... But it doesn't look like Google Authenticator works with Sudo so we're probably ok with using Ansible and Sudo...

I have found an option using access files that should work if we lock down the Ansible access to a specific (secured) machine so that that one doesn't have to use 2FA, but only a veru small number of people will have access to that host anyway.

We are currently using the Google authenticator pam integration, but haven't set this up on more than a couple of hosts yet. We should be able to roll this out everywhere this way.