ssh: Add support for not using AFS in the PAM stack.

manifests/ssh.pp

@@ -3,6 +3,11 @@
 # system, we lock connections down to campus with iptables by default, and we
 # have a few subclasses that allow things like host keys.
 
+# If you are using AFS, then you can have pam_afs_session placed into the
+# PAM authentication chain.  You should disable this on systems that aren't
+# using OpenAFS.
+# Default: true
+
 # If you want to require Duo on login, set pam_duo to true. This flag will
 # load the appropriate Duo code (via base::duo) and change the sshd_config
 # file so that Duo is required for non-root logins. If you want Duo for
@@ -10,6 +15,7 @@
 # Default: false
 
 class base::ssh(
+  $pam_afs = true,
   $pam_duo = false
 ){
 
@@ -29,6 +35,7 @@ class base::ssh(
 
   # Setup /etc/pam.d/sshd to require Duo on regular logins.
   class { 'ssh::pam':
+    pam_afs => $pam_afs,
     pam_duo => $pam_duo,
   }
 

manifests/ssh/pam.pp

@@ -6,6 +6,7 @@
 # Currently, only Debian is supported when $pam_duo is true.
 
 class ssh::pam (
+  $pam_afs = true,
   $pam_duo = false
 ){
 

templates/ssh/etc/pam.d/sshd.erb

@@ -9,12 +9,16 @@
 #    credential), then "jump over" the pam_duo module to step 3. If not,
 #    go to the next module in the stack (2).
 # 2. If the user is _not_ root, require Duo.
+<% if @pam_afs %>
 # 3. Set up the AFS session and then, whether the AFS sesssion setup works
 #    or not, quit the pam stack
+<% end %>
 
 auth    [success=1 default=ignore]  pam_succeed_if.so uid eq 0
 auth    required                    pam_duo.so conf=/etc/security/pam_duo_ssh.conf
+<% if @pam_afs %>
 auth    [success=done default=die]  pam_afs_session.so
+<% end %>
 
 ##############################################################################
 # account