diff --git a/files/2fa/pam_url.conf b/files/2fa/pam_url.conf
new file mode 100644
index 0000000000..9ce7690b81
--- /dev/null
+++ b/files/2fa/pam_url.conf
@@ -0,0 +1,21 @@
+pam_url:
+{
+	settings:
+	{
+		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};
diff --git a/files/2fa/pam_url.conf.fakefas01.fedoraproject.org b/files/2fa/pam_url.conf.fakefas01.fedoraproject.org
new file mode 100644
index 0000000000..9ce7690b81
--- /dev/null
+++ b/files/2fa/pam_url.conf.fakefas01.fedoraproject.org
@@ -0,0 +1,21 @@
+pam_url:
+{
+	settings:
+	{
+		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};
diff --git a/files/2fa/pam_url.conf.stg.fedoraproject.org b/files/2fa/pam_url.conf.stg.fedoraproject.org
new file mode 100644
index 0000000000..508c5d9cf7
--- /dev/null
+++ b/files/2fa/pam_url.conf.stg.fedoraproject.org
@@ -0,0 +1,21 @@
+pam_url:
+{
+	settings:
+	{
+		url = "https://fas-all.stg.phx2.fedoraproject.org:8443/";	# URI to fetch
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};
diff --git a/files/2fa/pam_url.conf.vpn.fedoraproject.org b/files/2fa/pam_url.conf.vpn.fedoraproject.org
new file mode 100644
index 0000000000..6e102e12f7
--- /dev/null
+++ b/files/2fa/pam_url.conf.vpn.fedoraproject.org
@@ -0,0 +1,21 @@
+pam_url:
+{
+	settings:
+	{
+		url = "https://fas-all.vpn.fedoraproject.org:8443/";	# URI to fetch
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};
diff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam
new file mode 100644
index 0000000000..aa59ebf7a7
--- /dev/null
+++ b/files/2fa/sudo.pam
@@ -0,0 +1,11 @@
+#%PAM-1.0
+auth       required     pam_env.so
+auth       sufficient   pam_url.so config=/etc/pam_url.conf
+auth       requisite    pam_succeed_if.so uid >= 500 quiet
+auth       required     pam_deny.so
+
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
diff --git a/files/2fa/sudo.pam.dev.fedoraproject.org b/files/2fa/sudo.pam.dev.fedoraproject.org
new file mode 100644
index 0000000000..030bb26463
--- /dev/null
+++ b/files/2fa/sudo.pam.dev.fedoraproject.org
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
diff --git a/files/2fa/sudo.pam.qa.fedoraproject.org b/files/2fa/sudo.pam.qa.fedoraproject.org
new file mode 100644
index 0000000000..030bb26463
--- /dev/null
+++ b/files/2fa/sudo.pam.qa.fedoraproject.org
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
diff --git a/tasks/2fa_client.yml b/tasks/2fa_client.yml
new file mode 100644
index 0000000000..b33ec872b1
--- /dev/null
+++ b/tasks/2fa_client.yml
@@ -0,0 +1,25 @@
+---
+- name: install pam_url
+  yum: name=pam_url state=installed
+
+- name: /etc/pki/tls/private/totpcgi.pem
+  copy: src=$puppet_private/2fa-certs/keys/${inventory_hostname}.pem dest=/etc/pki/tls/private/totpcgi.pem mode=0400
+
+- name: /etc/pki/tls/private/totpcgi-ca.cert
+  copy: src=$puppet_private/2fa-certs/keys/ca.crt dest=/etc/pki/tls/private/totpcgi-ca.cert mode=0400
+
+- name: /etc/pam_url.conf - split for staging/phx2/everyone else
+  copy: src=$item dest=/etc/pam_url.conf mode=0644
+  with_first_found:
+  - $files/2fa/pam_url.conf.${inventory_hostname}
+  - $files/2fa/pam_url.conf.${ansible_domain}
+  - $files/2fa/pam_url.conf
+
+- name: /etc/pam.d/sudo
+  copy: src=$item dest=/etc/pam.d/sudo mode=0644
+  with_first_found:
+  - $files/2fa/sudo.pam.${inventory_hostname}
+  - $files/2fa/sudo.pam.${ansible_domain}
+  - $files/2fa/sudo.pam
+
+