version release/005.012

91d5cf85 · Adam Lewenberg · a39e6384 · 91d5cf85 · 91d5cf85
Verified Commit 91d5cf85 authored Oct 09, 2018 by Adam Lewenberg
--- a/NEWS
+++ b/NEWS
+release/005.012 (2018-10-09)
+
+    [ssh] Make sure that the pam duo ssh file in /etc/security can only
+    be read by root. [adamhl]
+
 release/005.011 (2018-06-29)

    [postfix] Add the parameter "enable_postfix_compat2" to the

--- a/manifests/duo/config.pp
+++ b/manifests/duo/config.pp
 # Set up a custom Duo configuration. Note that this class does not _enable_ Duo.
-# Instead, this type downloads a common Duo integration, copies it, and then 
+# Instead, this type downloads a common Duo integration, copies it, and then
 # customizes it according to the parameters you specify.
 #
-# Your client code is responsible for leveraging the configuration, such as by 
+# Your client code is responsible for leveraging the configuration, such as by
 # using PAM.
 #
 # See base::sudo and base::ssh for services that leverage this class.
@@ -16,15 +16,15 @@
 # wallet_name: the name for the common Duo wallet object. Defaults to the
 # fully-qualified domain name of the host.
 #
-# use_gecos: A boolean, defaults to false.  When true, Duo will get the 
-# username from the GECOS field (known in Puppet as the comment field) in the 
-# system passwd file.  When false, Duo will use the user's username.  This is 
-# used when a user is logging in with an account where their username does not 
+# use_gecos: A boolean, defaults to false.  When true, Duo will get the
+# username from the GECOS field (known in Puppet as the comment field) in the
+# system passwd file.  When false, Duo will use the user's username.  This is
+# used when a user is logging in with an account where their username does not
 # match their Duo username.
 #
-# fail_secure: A boolean, defaults to false.  When false, a Duo timeout will 
-# cause the Duo authentication to pass, allowing the user to continue logging 
-# in.  When true, a Duo timeout will cause the Duo authentication to fail, 
+# fail_secure: A boolean, defaults to false.  When false, a Duo timeout will
+# cause the Duo authentication to pass, allowing the user to continue logging
+# in.  When true, a Duo timeout will cause the Duo authentication to fail,
 # blocking the user from logging in.

 define base::duo::config (
@@ -72,6 +72,9 @@ define base::duo::config (
      ensure  => present,
      source  => "/etc/security/pam_duo_${wallet_name}.conf",
      replace => false,
+      mode    => '0600',
+      owner   => 'root',
+      group   => 'root',
      require => Base::Duo::Config::Common[$wallet_name],
    }