I have a Jump/Bastion server. want to enable MFA using goole authenticator. written an ansible playbook that install libpam-google-authenticator and modify the /etc/pam.d/sshd and /etc/ssh/sshd_config with required config.
Is there any way I can run the google-authenticator using ansible for a user? as this command generate the key and a QR code that user will scan or enter into app and enter code from app. so lot of back and forth happens in this step.
we also managed to generate the whole config für google authenticator pam (we are using ubuntu). The solution for the user-config is to generate the private seed for the totp generation not directly on the host (the users are doing it for themself and you do not need to use google-authenticator to generate such a simple string...) and then vault it and write the .google-authenticator config in the users home. we are using a j2 template for the file.
The format is documented here: https://github.com/google/google-authenticator-libpam/blob/master/FILEFORMAT
Hope this helps, cheers!
