On Monday, December 15, 2014 11:39:49 AM UTC-8, Michael DeHaan wrote: > > Hi Adam, > > Generally this is done from two-factoring your VPN for login purposes by > gating a bastion host. > > For sudo, it's not going to be well supported at this point, but might not > be terrible -- I think it applying to multiple hosts might be. > > Can you share more about the 2FA config you have? > > >> What we currently have is a separate development environment for a joint venture, embedded within our network. This is a small segregated network with two ssh based bastion hosts... We are using 2FA for access to the bastion hosts, plus our admin machine. We also want to add 2FA for some su access... But it doesn't look like Google Authenticator works with Sudo so we're probably ok with using Ansible and Sudo...
I have found an option using access files that should work if we lock down the Ansible access to a specific (secured) machine so that that one doesn't have to use 2FA, but only a veru small number of people will have access to that host anyway. We are currently using the Google authenticator pam integration, but haven't set this up on more than a couple of hosts yet. We should be able to roll this out everywhere this way. Thanks, Adam -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/684d1640-b3da-4764-9c94-df1559221cb5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
