Forge Home


Puppet Google Authenticator Module


7,425 latest version

4.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.1.12 (latest)
  • 1.1.10
  • 1.1.9
  • 1.1.8
  • 1.1.7
  • 1.1.6
  • 1.1.5
  • 1.1.4
  • 1.1.3
  • 1.1.2
  • 1.1.1
  • 1.1.0
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
released Mar 14th 2016

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'camptocamp-googleauthenticator', '1.1.12'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add camptocamp-googleauthenticator
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install camptocamp-googleauthenticator --version 1.1.12

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



camptocamp/googleauthenticator — version 1.1.12 Mar 14th 2016


Puppet Forge Version Puppet Forge Downloads Build Status Gemnasium By Camptocamp

Google-authenticator module for Puppet.

This module allows to easily deploy google-authenticator two-step authentication for users using the PAM google-authenticator module.


  • Service['ssh'] must be managed for the node.

Simple example

# Setup PAM
# Only root uses tokens locally, all users need one through SSH
# Note that key authentication with SSH never requires a token
googleauthenticator::pam {
  'login': mode => 'root-only';
  'su':    mode => 'root-only';
  'sshd':  mode => 'all-users';

# Add 2 step verification for a user
googleauthenticator::user {'root':
  secret_key => 'C6SSDFBBH6P76EDM',
  scratch_codes => ['78905638', '14036415', '77983530', '22071921', '19861182'],

Adding PAM modes

In order to use the module, you have to setup each PAM module using googleauthenticator::pam. Two values are currently available by default for the mode:

  • all-users: All users will be prompted for a token for this PAM module;
  • root-only: Only root will be prompted for a token for this PAM module;
  • systemwide-users: Google-authenticator files are store in /etc/google-authenticator/${user}/google_authenticator files instead of the home of each user. Use googleauthenticator::user::systemwide to manage the user files. This is useful for users with encrypted home directories.

In the first and third cases, users who have not configured google-authenticator on their account will not be able to authenticate using the given module.

You can setup new modes by adding googleauthenticator::pam::mode definitions, for example:

googleauthenticator::pam::mode {
    # Only ask for a token if users are in the sysadmin group
    condition => 'user ingroup sysadmin';

    # Users with a UID above 1000 don't need a token
    succeed_if => 'uid > 1000',
    # It's ok to not have a ~/.google_authenticator file
    nullok     => true;

googleauthenticator::pam::mode {['joe','foo']:
  mode => 'sysadmin',


Because the PAM module for Google-authenticator currently uses only one file for both configuration and living data (see ticket #167), scratch codes that are used get redeployed every time, and current values stored in the ~/.google_authenticator file (such as timestamps for rate limit) get overridden. The cleanest way to handle this would be for the PAM module to use two different files for configuration and living data, but this is currently not possible.