support special case where root login uses public key

e59e41a2 · Adam Lewenberg · 3c64c3bb · e59e41a2 · e59e41a2 · e59e41a2
Verified Commit e59e41a2 authored Oct 27, 2017 by Adam Lewenberg
--- a/NEWS
+++ b/NEWS
 unreleased (207x-xx-xx)

-
+    [ssh] Change interface parameter. The parameter
+    base::ssh::extra_gssapi_only_users has been renamed to
+    base::ssh::extra_skip_duo_users to more accurately reflect what this
+    parameter does. [adamhl]

 release/005.010 (2017-10-02)


--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -3,9 +3,9 @@
 # system, we lock connections down to campus with iptables by default, and we
 # have a few subclasses that allow things like host keys.

-# If you are using AFS, then you can have pam_afs_session placed into the
-# PAM authentication chain.  You should disable this on systems that aren't
-# using OpenAFS.
+# $pam_afs: If you are using AFS, then you can have pam_afs_session placed
+# into the PAM authentication chain.  You should disable this on systems
+# that aren't using OpenAFS.
 # Default: true

 # If you want to require Duo on login, set pam_duo to true. This flag will
@@ -49,7 +49,7 @@
 #
 # Default: undef

-# $extra_gssapi_only_users: See documentation in base::ssh::config::sshd.
+# $extra_skip_duo_users: See documentation in base::ssh::config::sshd.
 # Default: []

 class base::ssh(
@@ -71,7 +71,7 @@ class base::ssh(
  $pubkey                  = false,
  $root_authorized_keys    = undef,
  $filter_sunetids         = [],
-  $extra_gssapi_only_users = [],
+  $extra_skip_duo_users    = [],
 ){

  # Install the openssh server package.
@@ -131,15 +131,6 @@ class base::ssh(
    notify => Service['ssh'],
  }

-  # Install sshd (server) configuration file.
-  base::ssh::config::sshd { '/etc/ssh/sshd_config':
-    ensure                  => present,
-    pam_duo                 => $pam_duo,
-    pubkey                  => $pubkey,
-    extra_gssapi_only_users => $extra_gssapi_only_users,
-    notify                  => Service['ssh'],
-  }
-
  if ($root_authorized_keys) {
    file { '/root/.ssh/authorized_keys':
      ensure  => present,
@@ -156,6 +147,26 @@ class base::ssh(
    }
  }

+  # If we have $root_authorized_keys defined, then this means we want to
+  # allow logins to the root account with an ssh key-pair. So, set
+  # $rootlogin_with_keypair appropriately and use it in the
+  # base::ssh::config::sshd define below.
+  if ($root_authorized_keys) {
+    $rootlogin_with_keypair = true
+  } else {
+    $rootlogin_with_keypair = false
+  }
+
+  # Install sshd (server) configuration file.
+  base::ssh::config::sshd { '/etc/ssh/sshd_config':
+    ensure                 => present,
+    pam_duo                => $pam_duo,
+    pubkey                 => $pubkey,
+    rootlogin_with_keypair => $rootlogin_with_keypair,
+    extra_skip_duo_users   => $extra_skip_duo_users,
+    notify                 => Service['ssh'],
+  }
+
  # Ignore routine ssh messages.
  file { '/etc/filter-syslog/ssh':
    content => template('base/ssh/etc/filter-syslog/ssh.erb'),

--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -31,12 +31,17 @@
 # connections per network connection, set it here. This is particularly
 # useful for bastion hosts.
 # Default: undef
-
-# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
+#
+# $rootlogin_with_keypair: Allow the us of a public/private key-pair when
+# logging in as "root".
+# Default: false
+#
+# $extra_skip_duo_users: Due to problems with Duo, we skip Duo for users
 # matching these strings: root,root.*,*.root,admin.*,*.admin. These users
-# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
-# ADDITION to this list, set this parameter to an array of such
-# accounts. For example, if you want to skip Duo authentication for
+# can ONLY use GSSAPI (no passwords) or, if $rootlogin_with_keypair is set
+# to true, with a public/private key-pair. If you want to skip Duo for
+# accounts IN ADDITION to this list, set this parameter to an array of
+# such accounts. For example, if you want to skip Duo authentication for
 #
 #         root
 #         root.*
@@ -45,7 +50,7 @@
 #         *.admin
 #         wallet
 #
-# you would set $extra_gssapi_only_users to ['wallet']
+# you would set $extra_skip_duo_users to ['wallet']
 # Default: []

 define base::ssh::config::sshd(
@@ -61,9 +66,10 @@ define base::ssh::config::sshd(
  $listen_addresses  = 'all',
  $listen_ports      = '22',
  $rootloginwithpswd = 'no',
+  $rootlogin_with_keypair = false,
  $pam_duo           = false,
  $max_sessions      = 'NOT DEFINED',
-  $extra_gssapi_only_users = [],
+  $extra_skip_duo_users = [],
 ) {
  if ($source) {
    $template = undef

--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -135,11 +135,18 @@ MaxSessions <%= @max_sessions %>
 # Because we are enabling Duo but root logins cannot use Duo (yet),
 # we have to configure the authentications for root separately.
 <%-
-  gssapi_only      = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
-  gssapi_only      = gssapi_only + @extra_gssapi_only_users
-  gssapi_only_list = gssapi_only.join(',')
+  skip_duo_base = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
+  skip_duo_all  = skip_duo_base + @extra_skip_duo_users
+  skip_duo_list = skip_duo_all.join(',')
+
+  # Do we allow users in skip_duo_list to use public/private key-pair?
+  if (@rootlogin_with_keypair) then
+    allow_publickey = ' publickey'
+  else
+    allow_publickey = ''
+  end
 -%>
-Match User <%= gssapi_only_list %>
-  AuthenticationMethods gssapi-with-mic
+Match User <%= skip_duo_list %>
+  AuthenticationMethods gssapi-with-mic<%= allow_publickey %>
  MaxSessions 3
 <% end -%>