Greetings,
We are looking at using two factor authentication on our hosts. Is it possible to use Ansible as well or not? To be clear we’re not using it for login but for sudo access.
Adam
Hi Adam,
Generally this is done from two-factoring your VPN for login purposes by gating a bastion host.
For sudo, it’s not going to be well supported at this point, but might not be terrible – I think it applying to multiple hosts might be.
Can you share more about the 2FA config you have?
–Michael
What we currently have is a separate development environment for a joint venture, embedded within our network. This is a small segregated network with two ssh based bastion hosts… We are using 2FA for access to the bastion hosts, plus our admin machine. We also want to add 2FA for some su access… But it doesn’t look like Google Authenticator works with Sudo so we’re probably ok with using Ansible and Sudo…
I have found an option using access files that should work if we lock down the Ansible access to a specific (secured) machine so that that one doesn’t have to use 2FA, but only a veru small number of people will have access to that host anyway.
We are currently using the Google authenticator pam integration, but haven’t set this up on more than a couple of hosts yet. We should be able to roll this out everywhere this way.
Thanks,
Adam