Maintenance: GitLab GKE platform upgrade and software upgrade on Friday August 6 at 9 p.m. Service may not be available between 9 p.m. and 9:20 p.m.

Verified Commit 1c31982a authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

add extra_gssapi_only_user to ssh

parent c40acf1c
......@@ -2,6 +2,9 @@ unreleased (2017-??-??)
Starting the work to make the code Puppet 4 compatible. [adamhl]
[ssh] Add $extra_gssapi_only_users parameter to list accounts extra
accounts that should skip Duo. [adamhl]
release/005.009 (2017-07-07)
[ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
......
......@@ -49,6 +49,9 @@
#
# Default: undef
# $extra_gssapi_only_users: See documentation in base::ssh::config::sshd.
# Default: []
class base::ssh(
$pam_afs = true,
$pam_duo = false,
......@@ -65,9 +68,10 @@ class base::ssh(
'192.168.0.0/16',
'204.63.224.0/21'
],
$pubkey = false,
$root_authorized_keys = undef,
$filter_sunetids = [],
$pubkey = false,
$root_authorized_keys = undef,
$filter_sunetids = [],
$extra_gssapi_only_users = [],
){
# Install the openssh server package.
......@@ -129,10 +133,11 @@ class base::ssh(
# Install sshd (server) configuration file.
base::ssh::config::sshd { '/etc/ssh/sshd_config':
ensure => present,
pam_duo => $pam_duo,
pubkey => $pubkey,
notify => Service['ssh'],
ensure => present,
pam_duo => $pam_duo,
pubkey => $pubkey,
extra_gssapi_only_users => $extra_gssapi_only_users,
notify => Service['ssh'],
}
if ($root_authorized_keys) {
......
......@@ -32,6 +32,22 @@
# useful for bastion hosts.
# Default: undef
# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
# matching these strings: root,root.*,*.root,admin.*,*.admin. These users
# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
# ADDITION to this list, set this parameter to an array of such
# accounts. For example, if you want to skip Duo authentication for
#
# root
# root.*
# *.root
# admin.*
# *.admin
# wallet
#
# you would set $extra_gssapi_only_users to ['wallet']
# Default: []
define base::ssh::config::sshd(
$ensure = 'present',
$gitolite = false,
......@@ -47,6 +63,7 @@ define base::ssh::config::sshd(
$rootloginwithpswd = 'no',
$pam_duo = false,
$max_sessions = 'NOT DEFINED',
$extra_gssapi_only_users = [],
) {
if ($source) {
$template = undef
......
......@@ -134,7 +134,12 @@ MaxSessions <%= @max_sessions %>
# Because we are enabling Duo but root logins cannot use Duo (yet),
# we have to configure the authentications for root separately.
Match User root,root.*,*.root,admin.*,*.admin
<%-
gssapi_only = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
gssapi_only = admin_users + @extra_gssapi_only_users
gssapi_only_list = admin_users.join(',')
-%>
Match User <%= gssapi_only_list %>
AuthenticationMethods gssapi-with-mic
MaxSessions 3
<% end -%>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment