solace: install stuff for libpam-yubico, but don't enable it yet

I have too many Yubikeys on active use for this to work yet.

Sponsored-by: author

1 files changed, 25 insertions, 0 deletions

diff --git a/ansible/solace.yml b/ansible/solace.yml
index b3b7eaa..facada5 100644
--- a/ansible/solace.yml
+++ b/ansible/solace.yml
@@ -30,6 +30,11 @@
       tags: [rustup]
 
   tasks:
+    # - shell: |
+    #     sed -i 's/NOPASSWD://' /etc/sudoers.d/liw
+    #   args:
+    #     warn: false
+
     # Remove ping to force it be reinstalled so that the right
     # capabilities are set.
     - apt:
@@ -155,6 +160,26 @@
     - name: "update initramfs"
       shell: |
         update-initramfs -u
+
+    - apt:
+        name:
+          - libpam-yubico
+    # disabled until I don't need Y4 anymore.
+    # - lineinfile:
+    #     path: /etc/pam.d/common-auth
+    #     regex: pam_yubico.so
+    #     line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp"
+    - file:
+        state: directory
+        path: /etc/yubikey_chalresp
+        mode: 0700
+    - copy:
+        content: |
+          {{ lookup('pipe', 'pass libpam-yubico/liw/y6.chalresp') }}
+        dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y6.serial') }}"
+        mode: 0600
+
+
   vars:
     ansible_python_interpreter: /usr/bin/python3