Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
This README file explains how to use base::duo.
VERSION 4->5 UPGRADE NOTE: If your code involves base::duo, that's not going to
work anymore. Have a look at base::duo::config instead, or README.ssh.
The term Duo uses is "integration", to refer to a set of credentials that a
client (like your system) will use to authenticate itself to Duo. base::duo
manages the process of fetching and customizing 'duo-unix' integrations, which
is the type of integration that can be used for things like login, sudo, and
web-based two-step (such as something that your web application might trigger).
Duo integrations are keyed on the system name, so if you have multiple Duo uses
on a single system (e.g. SSH and sudo), all uses will share the same Duo
integration, but _may_ use different Duo configuration files: If the Duo uses
on a single system have different needs (such as one failing safe and one
failing secure), that will require separate Duo configuration files.
Duo integration keys do not change or expire, unless a `wallet destroy` or a
Duo administrator manually deletes a Duo integration.
If you do ever need to destroy a Duo integration, here's the command to use:
wallet destroy pam-duo hostname.stanford.edu
To generate a Duo configuration file, instantiate an object of
base::duo::config, where the name is the path to the Duo configuration file.
For example:
base::duo::config { '/etc/secure/duo_webapp.conf':
ensure => present,
failsecure => true,
}
To see the options available, have a look at the header text in
manifests/duo/config.pp. There are other classes in the base::duo namespace,
but they're all invoked as needed by base::duo::config.
To be honest, the only time you'll need to invoke base::duo::config directly is
when you have a custom thing that wants to leverage Duo. If you're interested
in using Duo to authenticate SSH or sudo, have a look in README.ssh or
README.sudo instead.