Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
B
base
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Lonlone Lee
base
Commits
b3ff52f5
Commit
b3ff52f5
authored
Nov 05, 2015
by
Adam Lewenberg
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Set up base::ssh for duo
parent
4d0a1f20
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
161 additions
and
15 deletions
+161
-15
manifests/ssh.pp
manifests/ssh.pp
+27
-13
manifests/ssh/config/sshd.pp
manifests/ssh/config/sshd.pp
+4
-0
manifests/ssh/pam.pp
manifests/ssh/pam.pp
+28
-0
manifests/sudo.pp
manifests/sudo.pp
+16
-2
templates/ssh/etc/pam.d/sshd.erb
templates/ssh/etc/pam.d/sshd.erb
+79
-0
templates/ssh/sshd_config.erb
templates/ssh/sshd_config.erb
+6
-0
templates/sudo/etc/sudoers.d/duo.erb
templates/sudo/etc/sudoers.d/duo.erb
+1
-0
No files found.
manifests/ssh.pp
View file @
b3ff52f5
...
...
@@ -3,10 +3,27 @@
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
class
base::ssh
{
# If you want to require Duo on login, set pam_duo to true. This flag will
# load the appropriate Duo code (via base::duo) and change the sshd_config
# file so that Duo is required for non-root logins. If you want Duo for
# sudo, see the base::sudo class.
# Default: false
class
base::ssh
(
$pam_duo
=
false
){
package
{
'openssh-server'
:
ensure
=>
present
}
# Our default ssh rules allow connectiosn from all of campus. This is
if
(
$pam_duo
)
{
include
base::duo
}
# Setup /etc/pam.d/sshd to require Duo on regular logins.
class
{
'ssh::pam'
:
pam_duo
=>
$pam_duo
,
}
# Our default ssh rules allow connections from all of campus. This is
# mostly for legacy reasons, since it historically had always done this and
# we weren't sure what would break.
#
...
...
@@ -29,24 +46,21 @@ class base::ssh {
# Ensure the daemon is running.
service
{
'ssh'
:
ensure
=>
running
,
name
=>
$::osfamily
?
{
Debian
=>
'ssh'
,
RedHat
=>
'sshd'
,
Debian
=>
'ssh'
,
RedHat
=>
'sshd'
,
},
ensure
=>
running
,
require
=>
Package
[
'openssh-server'
],
}
# Install our configuration files.
base::ssh::config::sshd
{
'/etc/ssh/sshd_config'
:
ensure
=>
present
}
# Install ssh (client) configuration file.
base::ssh::config::ssh
{
'/etc/ssh/ssh_config'
:
ensure
=>
present
}
# Configure PAM for sshd on RHEL 6.
if
(
$::lsbdistcodename
==
'santiago'
)
{
file
{
'/etc/pam.d/sshd'
:
ensure
=>
link
,
target
=>
'/etc/pam.d/system-auth'
,
}
# Install sshd (server) configuration file.
base::ssh::config::sshd
{
'/etc/ssh/sshd_config'
:
ensure
=>
present
,
pam_duo
=>
$pam_duo
,
}
# Make sure public key authentication to root does not work and clean up
...
...
manifests/ssh/config/sshd.pp
View file @
b3ff52f5
...
...
@@ -17,6 +17,9 @@
# If you want to allow root to log in with a password, set
# rootloginwithpswd 'yes'. Otherwise, root logins with a password
# are not allowed.
#
# If you want to require Duo on login, set pam_duo to true (defaults to
# false).
define
base::ssh::config::sshd
(
$ensure
=
'present'
,
...
...
@@ -28,6 +31,7 @@ define base::ssh::config::sshd(
$max_tries
=
5
,
$listen_addresses
=
'all'
,
$rootloginwithpswd
=
'no'
,
$pam_duo
=
false
,
)
{
if
$source
{
$template
=
undef
...
...
manifests/ssh/pam.pp
0 → 100644
View file @
b3ff52f5
# Install /etc/pam.d/sshd.
# If $pam_duo is set to true, use a pam stack that requires Duo for
# regular logins.
#
# Currently, only Debian is supported when $pam_duo is true.
class
ssh::pam
(
$pam_duo
=
false
){
# Configure PAM for sshd on RHEL 6.
if
(
$::lsbdistcodename
==
'santiago'
)
{
file
{
'/etc/pam.d/sshd'
:
ensure
=>
link
,
target
=>
'/etc/pam.d/system-auth'
,
}
}
elsif
(
$pam_duo
)
{
if
(
$::osfamily
=~
/Debian/
)
{
file
{
'/etc/pam.d/sshd'
:
ensure
=>
present
,
source
=>
template
(
'base/ssh/etc/pam.d/sshd.erb'
),
}
}
else
{
fail
(
"cannot call ssh::pam with pam_duo true under OS '
$::osfamily
'"
)
}
}
}
manifests/sudo.pp
View file @
b3ff52f5
...
...
@@ -5,6 +5,9 @@
# $duo_sudoers: A list of users that are allowed to call sudo.
# Defaults to the empty array.
#
# $timeout: how long (in minutes) between requiring a new Duo re-auth.
# Default: 30
#
# Example.
# To install sudo with no Duo support:
#
...
...
@@ -14,13 +17,24 @@
# To install sudo WITH Duo support
#
# class { 'base::sudo':
# duo => true,
# duo_sudoers => ['adamhl', 'yuelu']
# duo => true,
# duo_sudoers => ['adamhl', 'yuelu'],
# }
#
# Example.
# To install sudo WITH Duo support and require Duo auths
# after 4 minutes.
#
# class { 'base::sudo':
# duo => true,
# duo_sudoers => ['adamhl', 'yuelu'],
# timeout => 4,
# }
class
base::sudo
(
$duo
=
false
,
$duo_sudoers
=
[],
$timeout
=
30
,
){
package
{
'sudo'
:
ensure
=>
installed
...
...
templates/ssh/etc/pam.d/sshd.erb
0 → 100644
View file @
b3ff52f5
# Configuration requiring duo authentication for normal logins and
# allowing root logins without duo authentication.
##############################################################################
# auth
##############################################################################
# 1. If the user is already logged in as root (presumably by using a root
# credential), then "jump over" the pam_duo module to step 3. If not,
# go to the next module in the stack (2).
# 2. If the user is _not_ root, require Duo.
# 3. Set up the AFS session and then, whether the AFS sesssion setup works
# or not, quit the pam stack
auth [success=1 default=ignore] pam_succeed_if.so uid eq 0
auth required pam_duo.so conf=/etc/security/pam_duo_su.conf
auth [success=done default=die] pam_afs_session.so
##############################################################################
# account
##############################################################################
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
##############################################################################
# session
##############################################################################
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
##############################################################################
# Password
##############################################################################
@include common-password
templates/ssh/sshd_config.erb
View file @
b3ff52f5
...
...
@@ -66,6 +66,12 @@ GSSAPIStoreCredentialsOnRekey yes
GSSAPIStoreCredentialsOnRekey yes
<%
end
-%>
<%
if
(
@pam_duo
)
then
-%>
# Require both (GSS-API|PASSWORD) and PAM.
AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam password,keyboard-interactive:pam
KerberosAuthentication yes
<%
end
-%>
<%-
if
(
@rootloginwithpswd
==
'yes'
)
-%>
# Allow root login with a password (use with care!)
PermitRootLogin yes
...
...
templates/sudo/etc/sudoers.d/duo.erb
View file @
b3ff52f5
Defaults timestamp_timeout=
<%=
@timeout
%>
<%
@duo_sudoers
.
each
do
|
sudoer
|
-%>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment