handle case where pam_duo is true and we only want GSSAP root logins

33067747 · Adam Lewenberg · 8e274164 · 33067747 · 33067747
Commit 33067747 authored Nov 06, 2015 by Adam Lewenberg
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

manifests/ssh/config/sshd.pp manifests/ssh/config/sshd.pp +3 -0

templates/ssh/sshd_config.erb templates/ssh/sshd_config.erb +8 -0

No files found.
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -20,6 +20,9 @@
 #
 # If you want to require Duo on login, set pam_duo to true (defaults to
 # false).
+#
+# If $rootloginwithpswd is set to 'no' then we allow root logins using
+# GSSAPI only.

 define base::ssh::config::sshd(
  $ensure            = 'present',

--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -105,3 +105,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
    ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
+
+# Because we are enabling Duo but root logins cannot use Duo (yet),
+# we have to configure the authentications for root separately.
+Match User root
+  AuthenticationMethods gssapi-with-mic
+  MaxSessions 3
+<% end -%>