The whole manual setup including those on the Active Directory can be found at Preparing a Linux Client Server for Centrify and 2FA for CentOS-7
If you just want to automate the Linux portion, here is something you may wish to consider.
Update the sshd_config Templates (The most important portion is that the “PasswordAuthentication no” and “ChallengeResponseAuthentication yes” is present. The whole sshd_config template is too large for me to put into the blog.
.....
.....
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
.....
.....
- name: Generate /etc/ssh/sshd_config from /etc/ssh/sshd_config.j2 template
template:
src: ../templates/sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0600
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
- name: Restart SSH Service
systemd:
name: sshd
state: restarted
enabled: yes
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
changed_when: false
Here is Centrify_2FA.yml to insert the IWaTrustRoot.pem certificate
- name: Copy IwaTrustRoot.pem to /etc/pki/ca-trust/source/anchors/
template:
src: /usr/local/software/certificate/IwaTrustRoot.pem
dest: /etc/pki/ca-trust/source/anchors/
owner: root
group: root
mode: 0600
become: true
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
- name: Copy IwaTrustRoot.pem to /var/centrify/net/certs
template:
src: /usr/local/software/certificate/IwaTrustRoot.pem
dest: /var/centrify/net/certs
owner: root
group: root
mode: 0600
become: true
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
Restart the CentrifyDC and do a Flush so that the AD is updated.
- name: CentrifyDC Restart
ansible.builtin.shell: "/usr/share/centrifydc/bin/centrifydc restart"
register: centrifydc_status
changed_when: false
- name: Active Directory Flush
ansible.builtin.shell: "adflush -f"
register: flush_status
changed_when: false
- name: Centrify Service Restarted
debug:
msg: "Load Average: {{ centrifydc_status.stdout }}"