Set up base::ssh for duo

manifests/ssh.pp

@@ -3,10 +3,27 @@
 # system, we lock connections down to campus with iptables by default, and we
 # have a few subclasses that allow things like host keys.
 
-class base::ssh {
+# If you want to require Duo on login, set pam_duo to true. This flag will
+# load the appropriate Duo code (via base::duo) and change the sshd_config
+# file so that Duo is required for non-root logins. If you want Duo for
+# sudo, see the base::sudo class.
+# Default: false
+
+class base::ssh(
+  $pam_duo = false
+){
   package { 'openssh-server': ensure => present }
 
-  # Our default ssh rules allow connectiosn from all of campus.  This is
+  if ($pam_duo) {
+    include base::duo
+  }
+
+  # Setup /etc/pam.d/sshd to require Duo on regular logins.
+  class { 'ssh::pam':
+    pam_duo => $pam_duo,
+  }
+
+  # Our default ssh rules allow connections from all of campus.  This is
   # mostly for legacy reasons, since it historically had always done this and
   # we weren't sure what would break.
   #
@@ -29,24 +46,21 @@ class base::ssh {
 
   # Ensure the daemon is running.
   service { 'ssh':
+    ensure  => running,
     name    => $::osfamily ? {
-      Debian               => 'ssh',
-      RedHat               => 'sshd',
+      Debian  => 'ssh',
+      RedHat  => 'sshd',
     },
-    ensure  => running,
     require => Package['openssh-server'],
   }
 
-  # Install our configuration files.
-  base::ssh::config::sshd { '/etc/ssh/sshd_config': ensure => present }
+  # Install ssh (client) configuration file.
   base::ssh::config::ssh  { '/etc/ssh/ssh_config':  ensure => present }
 
-  # Configure PAM for sshd on RHEL 6.
-  if ($::lsbdistcodename == 'santiago') {
-    file { '/etc/pam.d/sshd':
-      ensure => link,
-      target => '/etc/pam.d/system-auth',
-    }
+  # Install sshd (server) configuration file.
+  base::ssh::config::sshd { '/etc/ssh/sshd_config':
+    ensure  => present,
+    pam_duo => $pam_duo,
   }
 
   # Make sure public key authentication to root does not work and clean up

manifests/ssh/config/sshd.pp

@@ -17,6 +17,9 @@
 # If you want to allow root to log in with a password, set
 # rootloginwithpswd 'yes'. Otherwise, root logins with a password
 # are not allowed.
+#
+# If you want to require Duo on login, set pam_duo to true (defaults to
+# false).
 
 define base::ssh::config::sshd(
   $ensure            = 'present',
@@ -28,6 +31,7 @@ define base::ssh::config::sshd(
   $max_tries         = 5,
   $listen_addresses  = 'all',
   $rootloginwithpswd = 'no',
+  $pam_duo           = false,
 ) {
   if $source {
     $template = undef

manifests/ssh/pam.pp

+# Install /etc/pam.d/sshd.
+
+# If $pam_duo is set to true, use a pam stack that requires Duo for
+# regular logins.
+#
+# Currently, only Debian is supported when $pam_duo is true.
+
+class ssh::pam (
+  $pam_duo = false
+){
+
+  # Configure PAM for sshd on RHEL 6.
+  if ($::lsbdistcodename == 'santiago') {
+    file { '/etc/pam.d/sshd':
+      ensure => link,
+      target => '/etc/pam.d/system-auth',
+    }
+  } elsif ($pam_duo) {
+    if ($::osfamily =~ /Debian/) {
+      file {'/etc/pam.d/sshd':
+        ensure => present,
+        source => template('base/ssh/etc/pam.d/sshd.erb'),
+      }
+    } else {
+      fail("cannot call ssh::pam with pam_duo true under OS '$::osfamily'")
+    }
+  }
+}

manifests/sudo.pp

@@ -5,6 +5,9 @@
 # $duo_sudoers: A list of users that are allowed to call sudo.
 # Defaults to the empty array.
 #
+# $timeout: how long (in minutes) between requiring a new Duo re-auth.
+# Default: 30
+#
 # Example.
 # To install sudo with no Duo support:
 #
@@ -14,13 +17,24 @@
 # To install sudo WITH Duo support
 #
 #   class { 'base::sudo':
-#     duo => true,
-#     duo_sudoers => ['adamhl', 'yuelu']
+#     duo         => true,
+#     duo_sudoers => ['adamhl', 'yuelu'],
+#   }
+#
+# Example.
+# To install sudo WITH Duo support and require Duo auths
+# after 4 minutes.
+#
+#   class { 'base::sudo':
+#     duo         => true,
+#     duo_sudoers => ['adamhl', 'yuelu'],
+#     timeout     => 4,
 #   }
 
 class base::sudo(
   $duo         = false,
   $duo_sudoers = [],
+  $timeout     = 30,
 ){
   package { 'sudo':
     ensure => installed

templates/ssh/etc/pam.d/sshd.erb

+# Configuration requiring duo authentication for normal logins and
+# allowing root logins without duo authentication.
+
+##############################################################################
+# auth
+##############################################################################
+
+# 1. If the user is already logged in as root (presumably by using a root
+#    credential), then "jump over" the pam_duo module to step 3. If not,
+#    go to the next module in the stack (2).
+# 2. If the user is _not_ root, require Duo.
+# 3. Set up the AFS session and then, whether the AFS sesssion setup works
+#    or not, quit the pam stack
+
+auth    [success=1 default=ignore]  pam_succeed_if.so uid eq 0
+auth    required                    pam_duo.so conf=/etc/security/pam_duo_su.conf
+auth    [success=done default=die]  pam_afs_session.so
+
+##############################################################################
+# account
+##############################################################################
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+##############################################################################
+# session
+##############################################################################
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+
+##############################################################################
+# Password
+##############################################################################
+
+@include common-password

templates/ssh/sshd_config.erb

@@ -66,6 +66,12 @@ GSSAPIStoreCredentialsOnRekey yes
 GSSAPIStoreCredentialsOnRekey yes
 <% end -%>
 
+<% if (@pam_duo) then -%>
+# Require both (GSS-API|PASSWORD) and PAM.
+AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam password,keyboard-interactive:pam
+KerberosAuthentication yes
+<% end -%>
+
 <%- if (@rootloginwithpswd == 'yes') -%>
 # Allow root login with a password (use with care!)
 PermitRootLogin yes

templates/sudo/etc/sudoers.d/duo.erb

+Defaults timestamp_timeout=<%= @timeout %>
 <%
   @duo_sudoers.each do |sudoer|
 -%>