This project can help you connect your existing Linux machines to either Google Workspace, Active Directory and probably many others IdPs. It can also help you configure Google Authenticator 2FA for the servers.
The script configure PAM along with SSSD and Google Authenticator PAM module to enable 2FA.
You would need IdP that supports secure LDAP (LDAPS), for example Google Workspace. In order to enable LDAP in google you can read the following guide.
DISCLAIMER: It's best to test it on a VM with similar OS before running it on a production machine.
In some cases, it might lock you out of your machine. USE ON YOUR OWN RISK.
It can also be tested using Dockerfile, yet this is still WIP, see the Dockerfile for more details.
Tested on: Ubuntu 23.04, Centos Stream 9
To install run:
wget -O - https://raw.githubusercontent.com/smulikHakipod/idm-ssh-configurator/main/configure.sh | sudo bash
The configurator will ask you a few questions and then configure your machine.
The purpose of this configurator is to make a simple config for simple use cases, any advanced configuration should be done by editing the following files:
/etc/pam.d/common-auth
/etc/pam.d/sshd
Those two files can control whether IdP is optional and probably more.
/etc/sssd/sssd.conf can control allowed/deny groups, LDAP filters, and much more.
/etc/ssh/sshd_config can control excluded users and the enforcement of 2FA (using ForceCommand ssh feature).
/etc/ssh/banner can control the banner that will be shown to the user before login.
If you want to remove the configuration you would need to clean the
# this section added by idm-ssh script
section from the above files.