handle case where pam_duo is true and we only want GSSAP root logins

manifests/ssh/config/sshd.pp

@@ -20,6 +20,9 @@
 #
 # If you want to require Duo on login, set pam_duo to true (defaults to
 # false).
+#
+# If $rootloginwithpswd is set to 'no' then we allow root logins using
+# GSSAPI only.
 
 define base::ssh::config::sshd(
   $ensure            = 'present',

templates/ssh/sshd_config.erb

@@ -105,3 +105,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
     ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
+
+# Because we are enabling Duo but root logins cannot use Duo (yet),
+# we have to configure the authentications for root separately.
+Match User root
+  AuthenticationMethods gssapi-with-mic
+  MaxSessions 3
+<% end -%>