From 614c6205dd4d1199ec88374a91d9501fda4dac84 Mon Sep 17 00:00:00 2001
From: Morgan Wattiez <morgan.wattiez@collibra.com>
Date: Sat, 22 Jun 2019 19:06:28 +0200
Subject: [PATCH] Use touch id for sudo + yubico for login screen

---
 README.md                             |  3 +++
 dot_scripts/ansible/mac_playbook.yaml | 16 ++++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1a6cffd..e86ce10 100644
--- a/README.md
+++ b/README.md
@@ -49,3 +49,6 @@ pip3 install boto3
 pip3 install awscli
 pip3 install pipenv
 ```
+
+### If Yubico is installed, run this : 
+`sudo ansible-playbook ~/Code/dotfiles/mac_playbook.yaml`
diff --git a/dot_scripts/ansible/mac_playbook.yaml b/dot_scripts/ansible/mac_playbook.yaml
index 62f6e92..54b32ad 100644
--- a/dot_scripts/ansible/mac_playbook.yaml
+++ b/dot_scripts/ansible/mac_playbook.yaml
@@ -4,9 +4,21 @@
   become_method: sudo
   become: yes
   tasks:
-   - name: Ensure yubikey is needed for authentication
+   - name: Ensure yubikey is needed for authentication at login screen
      lineinfile:
-       path: /etc/pam.d/authorization
+       path: "{{ item }}"
        regexp: '^auth.*pam_yubico.so.*'
        line: "auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response"
        insertbefore: "^account    required       pam_opendirectory.so"
+     with_items:
+       - /etc/pam.d/screensaver
+       - /etc/pam.d/authorization
+
+   - name: Ensure touch id is enough to authenticate with sudo
+     lineinfile:
+       path: "{{ item }}"
+       regexp: '^auth.*sufficient.*pam_tid.so.*'
+       line: "auth       sufficient     pam_tid.so"
+       insertafter: "^#.*"
+     with_items:
+       - /etc/pam.d/sudo