Commit 5c5edd9e authored by Karl Kornel's avatar Karl Kornel
Browse files

ssh: Add support for not using AFS in the PAM stack.

parent 484eda3c
......@@ -3,6 +3,11 @@
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
# If you are using AFS, then you can have pam_afs_session placed into the
# PAM authentication chain. You should disable this on systems that aren't
# using OpenAFS.
# Default: true
# If you want to require Duo on login, set pam_duo to true. This flag will
# load the appropriate Duo code (via base::duo) and change the sshd_config
# file so that Duo is required for non-root logins. If you want Duo for
......@@ -10,6 +15,7 @@
# Default: false
class base::ssh(
$pam_afs = true,
$pam_duo = false
){
......@@ -29,6 +35,7 @@ class base::ssh(
# Setup /etc/pam.d/sshd to require Duo on regular logins.
class { 'ssh::pam':
pam_afs => $pam_afs,
pam_duo => $pam_duo,
}
......
......@@ -6,6 +6,7 @@
# Currently, only Debian is supported when $pam_duo is true.
class ssh::pam (
$pam_afs = true,
$pam_duo = false
){
......
......@@ -9,12 +9,16 @@
# credential), then "jump over" the pam_duo module to step 3. If not,
# go to the next module in the stack (2).
# 2. If the user is _not_ root, require Duo.
<% if @pam_afs %>
# 3. Set up the AFS session and then, whether the AFS sesssion setup works
# or not, quit the pam stack
<% end %>
auth [success=1 default=ignore] pam_succeed_if.so uid eq 0
auth required pam_duo.so conf=/etc/security/pam_duo_ssh.conf
<% if @pam_afs %>
auth [success=done default=die] pam_afs_session.so
<% end %>
##############################################################################
# account
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment