first cut of everything we need for 2fa client side
This commit is contained in:
parent
db4eeaacc2
commit
2b3a8d2448
8 changed files with 132 additions and 0 deletions
21
files/2fa/pam_url.conf
Normal file
21
files/2fa/pam_url.conf
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
pam_url:
|
||||
{
|
||||
settings:
|
||||
{
|
||||
url = "https://fas-all.phx2.fedoraproject.org:8443/"; # URI to fetch
|
||||
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
|
||||
userfield = "user"; # userfield name to send
|
||||
passwdfield = "token"; # passwdfield name to send
|
||||
extradata = "&do=login"; # extradata to send
|
||||
prompt = "Password+Token: "; # password prompt
|
||||
};
|
||||
|
||||
ssl:
|
||||
{
|
||||
verify_peer = true; # Should we verify SSL ?
|
||||
verify_host = true; # Should we verify the CN in the SSL cert?
|
||||
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
|
||||
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
|
||||
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
|
||||
};
|
||||
};
|
||||
21
files/2fa/pam_url.conf.fakefas01.fedoraproject.org
Normal file
21
files/2fa/pam_url.conf.fakefas01.fedoraproject.org
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
pam_url:
|
||||
{
|
||||
settings:
|
||||
{
|
||||
url = "https://fas-all.phx2.fedoraproject.org:8443/"; # URI to fetch
|
||||
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
|
||||
userfield = "user"; # userfield name to send
|
||||
passwdfield = "token"; # passwdfield name to send
|
||||
extradata = "&do=login"; # extradata to send
|
||||
prompt = "Password+Token: "; # password prompt
|
||||
};
|
||||
|
||||
ssl:
|
||||
{
|
||||
verify_peer = true; # Should we verify SSL ?
|
||||
verify_host = true; # Should we verify the CN in the SSL cert?
|
||||
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
|
||||
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
|
||||
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
|
||||
};
|
||||
};
|
||||
21
files/2fa/pam_url.conf.stg.fedoraproject.org
Normal file
21
files/2fa/pam_url.conf.stg.fedoraproject.org
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
pam_url:
|
||||
{
|
||||
settings:
|
||||
{
|
||||
url = "https://fas-all.stg.phx2.fedoraproject.org:8443/"; # URI to fetch
|
||||
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
|
||||
userfield = "user"; # userfield name to send
|
||||
passwdfield = "token"; # passwdfield name to send
|
||||
extradata = "&do=login"; # extradata to send
|
||||
prompt = "Password+Token: "; # password prompt
|
||||
};
|
||||
|
||||
ssl:
|
||||
{
|
||||
verify_peer = true; # Should we verify SSL ?
|
||||
verify_host = true; # Should we verify the CN in the SSL cert?
|
||||
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
|
||||
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
|
||||
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
|
||||
};
|
||||
};
|
||||
21
files/2fa/pam_url.conf.vpn.fedoraproject.org
Normal file
21
files/2fa/pam_url.conf.vpn.fedoraproject.org
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
pam_url:
|
||||
{
|
||||
settings:
|
||||
{
|
||||
url = "https://fas-all.vpn.fedoraproject.org:8443/"; # URI to fetch
|
||||
returncode = "OK"; # The remote script/cgi should return a 200 http code and this string as its only results
|
||||
userfield = "user"; # userfield name to send
|
||||
passwdfield = "token"; # passwdfield name to send
|
||||
extradata = "&do=login"; # extradata to send
|
||||
prompt = "Password+Token: "; # password prompt
|
||||
};
|
||||
|
||||
ssl:
|
||||
{
|
||||
verify_peer = true; # Should we verify SSL ?
|
||||
verify_host = true; # Should we verify the CN in the SSL cert?
|
||||
client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
|
||||
client_key = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
|
||||
ca_cert = "/etc/pki/tls/private/totpcgi-ca.cert";
|
||||
};
|
||||
};
|
||||
11
files/2fa/sudo.pam
Normal file
11
files/2fa/sudo.pam
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
#%PAM-1.0
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_url.so config=/etc/pam_url.conf
|
||||
auth requisite pam_succeed_if.so uid >= 500 quiet
|
||||
auth required pam_deny.so
|
||||
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
6
files/2fa/sudo.pam.dev.fedoraproject.org
Normal file
6
files/2fa/sudo.pam.dev.fedoraproject.org
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
#%PAM-1.0
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
6
files/2fa/sudo.pam.qa.fedoraproject.org
Normal file
6
files/2fa/sudo.pam.qa.fedoraproject.org
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
#%PAM-1.0
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
Loading…
Add table
Add a link
Reference in a new issue