Verified Commit 91d5cf85 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

version release/005.012

parent a39e6384
release/005.012 (2018-10-09)
[ssh] Make sure that the pam duo ssh file in /etc/security can only
be read by root. [adamhl]
release/005.011 (2018-06-29) release/005.011 (2018-06-29)
[postfix] Add the parameter "enable_postfix_compat2" to the [postfix] Add the parameter "enable_postfix_compat2" to the
......
# Set up a custom Duo configuration. Note that this class does not _enable_ Duo. # Set up a custom Duo configuration. Note that this class does not _enable_ Duo.
# Instead, this type downloads a common Duo integration, copies it, and then # Instead, this type downloads a common Duo integration, copies it, and then
# customizes it according to the parameters you specify. # customizes it according to the parameters you specify.
# #
# Your client code is responsible for leveraging the configuration, such as by # Your client code is responsible for leveraging the configuration, such as by
# using PAM. # using PAM.
# #
# See base::sudo and base::ssh for services that leverage this class. # See base::sudo and base::ssh for services that leverage this class.
...@@ -16,15 +16,15 @@ ...@@ -16,15 +16,15 @@
# wallet_name: the name for the common Duo wallet object. Defaults to the # wallet_name: the name for the common Duo wallet object. Defaults to the
# fully-qualified domain name of the host. # fully-qualified domain name of the host.
# #
# use_gecos: A boolean, defaults to false. When true, Duo will get the # use_gecos: A boolean, defaults to false. When true, Duo will get the
# username from the GECOS field (known in Puppet as the comment field) in the # username from the GECOS field (known in Puppet as the comment field) in the
# system passwd file. When false, Duo will use the user's username. This is # system passwd file. When false, Duo will use the user's username. This is
# used when a user is logging in with an account where their username does not # used when a user is logging in with an account where their username does not
# match their Duo username. # match their Duo username.
# #
# fail_secure: A boolean, defaults to false. When false, a Duo timeout will # fail_secure: A boolean, defaults to false. When false, a Duo timeout will
# cause the Duo authentication to pass, allowing the user to continue logging # cause the Duo authentication to pass, allowing the user to continue logging
# in. When true, a Duo timeout will cause the Duo authentication to fail, # in. When true, a Duo timeout will cause the Duo authentication to fail,
# blocking the user from logging in. # blocking the user from logging in.
define base::duo::config ( define base::duo::config (
...@@ -72,6 +72,9 @@ define base::duo::config ( ...@@ -72,6 +72,9 @@ define base::duo::config (
ensure => present, ensure => present,
source => "/etc/security/pam_duo_${wallet_name}.conf", source => "/etc/security/pam_duo_${wallet_name}.conf",
replace => false, replace => false,
mode => '0600',
owner => 'root',
group => 'root',
require => Base::Duo::Config::Common[$wallet_name], require => Base::Duo::Config::Common[$wallet_name],
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment