Assume we have linux servers with MFA being setup while logging in using SSH key based authentication. Like say example https://cmd.com/ or OKTA is used to setup MFA. How can we do same task using ansible ? I wanted to manage such tens of servers to deploy something. Attached snippet for clarity
On doing manual ssh, we get prompt as below.
enter email for authentication :
Many thanks in advance,
TL;DR: Frankly MFA does not work well when managing a fleet of servers.
I guess MFA means some kind of OTP (one-time password). If your
favourite MFA vendors takes the term "one-time" serious enough a
password entered can only be used *once* on a *single* system.
You can try to work around that by
- using control master connections (you probably do for better performance)
- strictly serializing your ansible plays
- sufficiently long password caching in PAM service (you did not tell us
what you're using as user management and NSS/PAM service)
But still this puts some obstacles to take care of when running ansible
plays and is not really fun for the admins managing many targets.
I'd recommend to seriously look into:
1. restricting SSH access to go through a bastion host with MFA
configured for establishing control master connections
and/or
2. using temporary SSH user certs issued by an SSH-CA after user
authenticated with MFA
YMMV.
Ciao, Michael.
P.S.: My own projects in the field of user management for Linux/Unix
data centers are free software projects Æ-DIR, OATH-LDAP and EKCA. Being
the author I'm biased of course.