search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
480 stars 231 forks source link

[ipasmartcard_client] Role does not include configuration of the PAM SSH agent #1252

Open EmptyByte opened 2 weeks ago

EmptyByte commented 2 weeks ago

The role to setup ipasmartcard_client does not handle the installation and configuration of PAM SSH agent

Refer to: Setting up the PAM module for sudo

    - name: Ensure PAM SSH agent is installed (dnf)
      ansible.builtin.dnf:
        name: pam_ssh_agent_auth
        state: present
      when: ansible_facts['pkg_mgr'] | lower == 'dnf'

    - name: Ensure PAM SSH agent is installed (yum)
      ansible.builtin.yum:
        name: pam_ssh_agent_auth
        state: present
      when: ansible_facts['pkg_mgr'] | lower == 'yum'

    - name: Add the authorized_keys_command to /etc/pam.d/sudo
      ansible.builtin.lineinfile:
        path: /etc/pam.d/sudo
        regexp: '^auth\s+sufficient\s+pam_ssh_agent_auth\.so\s+authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys$'
        insertafter: '^#%PAM-1.0$'
        line: 'auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys'
        backup: true

    - name: Create sudoers drop-in file for SSH agent forwarding
      ansible.builtin.copy:
        dest: /etc/sudoers.d/ssh_agent_forward
        content: |
          # This file is managed by Ansible
          Defaults env_keep += "SSH_AUTH_SOCK"
        owner: root
        group: root
        mode: '0440'
        validate: '/usr/sbin/visudo -csf %s'