Commit 33067747 authored by Adam Lewenberg's avatar Adam Lewenberg

handle case where pam_duo is true and we only want GSSAP root logins

parent 8e274164
......@@ -20,6 +20,9 @@
#
# If you want to require Duo on login, set pam_duo to true (defaults to
# false).
#
# If $rootloginwithpswd is set to 'no' then we allow root logins using
# GSSAPI only.
define base::ssh::config::sshd(
$ensure = 'present',
......
......@@ -105,3 +105,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
Match User gitolite
ForceCommand /usr/share/gitolite/gitolite-wrapper
<% end -%>
<% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
# Because we are enabling Duo but root logins cannot use Duo (yet),
# we have to configure the authentications for root separately.
Match User root
AuthenticationMethods gssapi-with-mic
MaxSessions 3
<% end -%>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment