# ansible-role-yubikeys

**Repository Path**: mirrors_CESNET/ansible-role-yubikeys

## Basic Information

- **Project Name**: ansible-role-yubikeys
- **Description**: Ansible Galaxy role cesnet.yubikeys
- **Primary Language**: Unknown
- **License**: BSD-2-Clause
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-08-08
- **Last Updated**: 2026-05-23

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

cesnet.yubikeys
===============

Ansible Galaxy role [cesnet.yubikeys](https://galaxy.ansible.com/cesnet/yubikeys) that sets up second factor
authentication for sudo using hardware USB tokens Yubikeys.

Adds a PAM module for sudo that calls Yubico servers to validate entered one-time code.

Use "--tags config" to run only config.

Requirements
------------
-

Role Variables
--------------
- yubikey_id and yubikey_key - unique values obtained from https://upgrade.yubico.com/getapikey/
- yubikey_users - mapping from lognames to hashes with name, yubikey code and ssh key, see example below 
- yubikey_lognames - list of login names to use from the yubikey_users hash, default is empty
- sudo_root_lognames - list of lognames that can sudo to root, default is empty
- other_sudo_user - another logname than root to which selected users can sudo, default is "perun"
- sudo_other_lognames - list of lognames that can sudo to the other user defined by other_sudo_user
 
Example Playbook
----------------

In the following example, 4 users are defined, but only 3 of them will be created. Users tesla and
einstein will be able to sudo to root, user volta will be able to sudo to user cthulhu.

```yaml
- hosts: all
  roles:
    - role: cesnet.yubikeys
      vars:
        yubikey_id: "48695"
        yubikey_key: "jGAqANjXDwthsKp0dnboFGmZ5ag="
        yubikey_lognames: [ 'tesla', 'einstein', 'volta' ]
        # list of lognames that can sudo to root
        sudo_root_lognames: "{{ yubikey_lognames }}"
        # another logname than root to which selected users can sudo
        other_sudo_user: "cthulhu"
        # list of lognames that can sudo to the other user defined by other_sudo_user
        sudo_other_lognames: ['volta' ]
        
        # list of users
        ## logname - unix login name
        ## name - full name will be put into /etc/passwd
        ## yubikeys - List of yubikey ids(first 12 characters of any code generated by the user's yubikey, will be put into /etc/yubico/authorized_yubikeys)
        ## sshkeys - List of public parts of ssh keys which  will be put into $HOME/.ssh/authorized_keys
        yubikey_users:
          tesla:
            name: Nikola Tesla
            yubikeys: 
              - ccccccefghij
            sshkeys: 
              - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe9Rb2N5aq5qYAi8OCeQKlpOBJi/Ll2tlxqiD7Gan7wJrFBbrZIj8a5tOpHKTm61ldihxG7hnXkyEvbAX5vx/6lLagKaLFL3ysh3iH3ZxiXFYXfLklqrrCK2kuwdCIasMF4kJYzS/goLEGeqBkeJN8SvTj2THvzWcvsTZXIgXygzqiiSKlJao2v62EZv3Pi0eP8KhLrdYW2EcePBOKclLGYxdAX0k9KMJHJRecQhS2BtDLDL1rGoCCrw3Pd8689xovzYKC/ATnTZ89slA9HlrKyQjkjVeBX7WbRsjrgYKEDeqWZbdzjT9Nhg/Ftewbqh2V6p8OFQTftKUOmmPXlwAr
          einstein:
            name: Albert Einstein
            yubikeys: 
              - ccccccghijkl
            sshkeys: 
              - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQiusTXxPGdXXzhHyU9wEb1i5PAdN/qBX8lVw90/yZo6LKBl+fO2QuRTQUxxRgk05puXYwWMF4IheoVBmWFzwClyH/Ox88Yq+WM4nGxIpzvoyUZQ0rRM7a0LfaLvDsJpkoMOr53LFfQtdTY7ZiKXsaTI1EmhHXVmfgFXDTu4IE2EBGUrKPj28+yD/5UuyybA/TfZJ6wW51M0QAaQy3n2xWY+K+aFfTJv2vQin2cIjIPMWfUoUCR2eYNbtZ/uHwXgJxK1W3PeeJhLjW8RXdfLiSOA3+8X5NCHGBs5BLdvieQjB0SYb0NqCc7scAlJV14MGlWdBYuczV2gvn2mnT4q3F
          volta:
            name: Alessandro Volta
            yubikeys: 
              - ccccccfghijk
            sshkeys: 
              - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnkDzzBfCAgjxv4lZKZ744lPiIRbGhfnQFbSEmeU7ZlRn5zPK2r7Ur+T7I89YHly1nEVPoQ0O8elA7eDaHZ2jIUyYXbzVrYr+7dNSvoO+tqXoG1r5VuZM8jv9m55IFClV0NONqbrgDLRl771ZVqdMah10xPA9X5hv5O17LlDYWyP0j5tJ6M1Ua3t1oI+Gsx28xicJYuLSA5ixpb0b5vftlSvdz7OCC1ojKdTESV3dGifgmJ+B4OZu3ha/Ti6K+pIOYHNtg/yriI6AZNZyLG/L/x5EtE28XRBOr2auXuIlBwK1IWI9MtoSB6L8WjhHl+7WPQej50eL9keK22diIJen9
          gauss:
            name: Carl Friedrich Gauss
            yubikeys: 
              - cccccclkjihg
            sshkeys: 
              - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDgdleNFp+4o849ZNts1cluRtE8VPJCDgo9dllcScw/z3alhhmxXT8oQWG0XXzx3r0rfzfDIC0Lqw5xPEsX8yDLl4SeQzHyHycwM5773IBuN5EYrul+34aGHHawqFIksKpbS3ADMwHEd25tzHr1SzAX2vLt3a6RqFhfaW6YnVcMU3ZFOZGfyLmsFjCsIJ2XsIVhzhX8s13vy2jwC2uQ+rTzMMtIgXkx/UQ1mjr9dj/XtDNT3bPwvjVd7/N0BT6PL0H4hNH4jBAby9mRYGfON/LNTLyrUD280w4A5Zu1JGPl+VBxMjN83m1l5k9i5w6vDLU/7TRzAXATINlLIYwWH+1J
```
In the following example, PAM module is installed, but no users are created. Use this if users are managed by Perun. 
```yaml
- hosts: all
  roles:
    - role: cesnet.yubikeys
      vars:
        yubikey_id: "48695"
        yubikey_key: "jGAqANjXDwthsKp0dnboFGmZ5ag="
```