Commit 4d0a1f20 authored by Adam Lewenberg's avatar Adam Lewenberg

Initial code for new base::duo and sudo-with-Duo support.

parent cc30cb13
UNRELEASED (2015-11-04)
[sudo] Add an option to support sudo-with-Duo. (adamhl)
[duo] New class to load Duo code and wallet object. (adamhl)
release/004.055 (2015-10-08)
[dns] Rewrite base::dns::cache so that it uses dnsmasq on jessie
......
# Set up Duo. Note that this class does not _enable_ Duo for any service,
# rather, it simply downloads the pam_duo software and the appropriate
# wallet files that allow Duo to be used.
# See base::sudo and base::ssh for services that leverage this class.
# wallet_name: the name for the duo wallet object. Defaults to the
# fully-qualified domain name of the host.
class base::duo(
$wallet_name = $::fqdn
){
# Pull in Duo's PAM integration package
package { 'libpam-duo': ensure => present }
# Install the duo configuration. The object is not written to the
# default loaction because base::wallet will not overwrite the
# configuration file supplied with the package install.
$wallet_name_downcase = downcase($wallet_name)
base::wallet { $wallet_name_downcase:
ensure => present,
type => 'duo-pam',
path => '/etc/security/pam_duo_su.conf',
require => Package['libpam-duo'],
}
}
# Installs sudo and, optionally, enables Duo for sudo.
# $duo: enable pam_duo for sudo. Defaults to false.
#
# $duo_sudoers: A list of users that are allowed to call sudo.
# Defaults to the empty array.
#
# Example.
# To install sudo with no Duo support:
#
# include base::sudo
#
# Example.
# To install sudo WITH Duo support
#
# Installs sudo
# class { 'base::sudo':
# duo => true,
# duo_sudoers => ['adamhl', 'yuelu']
# }
class base::sudo(
$duo = false,
$duo_sudoers = [],
){
package { 'sudo':
ensure => installed
}
# If duo is enabled, require base::duo and set up the
# sudoers file.
if ($duo) {
include base::duo
# Install the pam.d configuration that requires Duo on sudo.
file {'/etc/pam.d/sudo':
ensure => present,
content => template('base/sudo/etc/pam.d/sudo.erb'),
require => Class['base::duo'],
}
class base::sudo {
package { "sudo":
ensure => installed
# Install the suoders file. This takes the array $duo_sudoers
# and puts it into /etc/sudoers.d/duo
if (downcase($::osfamily) =~ /^debian$/) {
file {'/etc/sudoers.d/duo':
ensure => present,
content => template('base/sudo/etc/sudoers.d/duo.erb'),
require => Package['sudo'],
}
} else {
fail("base::sudo with duo does not yet support ${::osfamily}.")
}
}
\ No newline at end of file
}
}
#%PAM-1.0
auth required pam_env.so
# MUST COMMENT OUT OR IT WILL ASK FOR A PASSWORD:
# auth requisite pam_unix.so nullok try_first_pass
# Do a Duo authentication and, if successful, allow the sudo.
# Otherwise, fail.
auth sufficient pam_duo.so conf=/etc/security/pam_duo_su.conf
auth required pam_deny.so
account include common-auth
password include common-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
<%
@duo_sudoers.each do |sudoer|
-%>
<%= sudoer %> ALL = (ALL) ALL
<%
end
-%>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment