FIX: 2FA Setup (stereum-dev#1875)

* Update AuthenticationService.js

changed authenticationMethods order

* UPDATE: change the 2 fa modals input type

* fix: auth settings

changed authentication methods setting

* FIX: 2FA core fixes

* ADD: experimental text to 2fa

---------

Co-authored-by: mabasian <[email protected]>
Co-authored-by: daverolo <[email protected]>
Co-authored-by: Max Behzadi <[email protected]>

controls/roles/2fa-enable/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

controls/roles/2fa-enable/.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

controls/roles/2fa-enable/tasks/main.yaml

@@ -0,0 +1,58 @@
+---
+# Backup and configure SSH for 2FA
+- name: Check if /etc/ssh/sshd_config.stereum.bak exists
+  stat:
+    path: /etc/ssh/sshd_config.stereum.bak
+  register: sshd_config_backup
+
+- name: Check if /etc/pam.d/sshd.stereum.bak exists
+  stat:
+    path: /etc/pam.d/sshd.stereum.bak
+  register: pam_sshd_backup
+
+- name: Backup sshd_config if not already backed up
+  copy:
+    src: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.stereum.bak
+    remote_src: yes
+  when: not sshd_config_backup.stat.exists
+
+- name: Backup pam-sshd if not already backed up
+  copy:
+    src: /etc/pam.d/sshd
+    dest: /etc/pam.d/sshd.stereum.bak
+    remote_src: yes
+  when: not pam_sshd_backup.stat.exists
+
+- name: Comment out KbdInteractiveAuthentication in sshd_config
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^KbdInteractiveAuthentication.*$"
+    line: '# \0'
+    state: present
+
+- name: Add 2FA setup to sshd_config
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    marker: "# {mark} 2FA-Setup"
+    block: |
+      KbdInteractiveAuthentication yes
+      AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive
+
+- name: Comment out @include common-auth in pam-sshd
+  lineinfile:
+    path: /etc/pam.d/sshd
+    regexp: "^@include common-auth$"
+    line: "# @include common-auth"
+    state: present
+
+- name: Add Google Authenticator configuration to pam-sshd
+  lineinfile:
+    path: /etc/pam.d/sshd
+    line: "auth required pam_google_authenticator.so grace_period=43200"
+    insertafter: EOF
+
+- name: Restart SSH service
+  systemd:
+    name: sshd
+    state: restarted

controls/roles/2fa-enable/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - 2fa-enable

controls/roles/2fa-remove/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

controls/roles/2fa-remove/.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

controls/roles/2fa-remove/tasks/main.yaml

@@ -0,0 +1,37 @@
+---
+# Restore SSH and PAM configurations and clean up Google Authenticator
+- name: Restore sshd_config from backup
+  copy:
+    src: /etc/ssh/sshd_config.stereum.bak
+    dest: /etc/ssh/sshd_config
+    remote_src: yes
+
+- name: Restore pam-sshd from backup
+  copy:
+    src: /etc/pam.d/sshd.stereum.bak
+    dest: /etc/pam.d/sshd
+    remote_src: yes
+
+- name: Remove Google Authenticator configuration file from {{ myuser }}
+  file:
+    path: "/home/{{ myuser }}/.google_authenticator"
+    state: absent
+  ignore_errors: yes
+
+- name: Remove Google Authenticator configuration file from root
+  file:
+    path: "/{{ myuser }}/.google_authenticator"
+    state: absent
+  when: myuser == "root"
+  ignore_errors: yes
+
+- name: Remove google-authenticator-libpam directory
+  file:
+    path: /root/google-authenticator-libpam
+    state: absent
+  ignore_errors: yes
+
+- name: Restart SSH service
+  systemd:
+    name: sshd
+    state: restarted

controls/roles/2fa-remove/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - 2fa-remove

controls/roles/2fa-setup/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

controls/roles/2fa-setup/.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

controls/roles/2fa-setup/tasks/main.yaml

@@ -0,0 +1,40 @@
+---
+# Install Google Authenticator PAM module
+- name: Update apt package index
+  apt:
+    update_cache: yes
+
+- name: Install required packages
+  apt:
+    name:
+      - libqrencode-dev
+      - libtool
+      - libpam-dev
+      - autoconf
+      - make
+    state: present
+
+- name: Clone google-authenticator-libpam repository
+  git:
+    repo: https://github.com/google/google-authenticator-libpam.git
+    dest: /root/google-authenticator-libpam
+    update: no
+
+- name: Run bootstrap.sh
+  command: ./bootstrap.sh
+  args:
+    chdir: /root/google-authenticator-libpam
+
+- name: Run configure with libdir
+  command: ./configure --libdir=/lib/x86_64-linux-gnu
+  args:
+    chdir: /root/google-authenticator-libpam
+
+- name: Compile the google-authenticator-libpam
+  make:
+    chdir: /root/google-authenticator-libpam
+
+- name: Install the google-authenticator-libpam
+  make:
+    target: install
+    chdir: /root/google-authenticator-libpam

controls/roles/2fa-setup/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - 2fa-setup