support special case where root login uses public key

parent 3c64c3bb
unreleased (207x-xx-xx)
[ssh] Change interface parameter. The parameter
base::ssh::extra_gssapi_only_users has been renamed to
base::ssh::extra_skip_duo_users to more accurately reflect what this
parameter does. [adamhl]
release/005.010 (2017-10-02)
......
......@@ -3,9 +3,9 @@
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
# If you are using AFS, then you can have pam_afs_session placed into the
# PAM authentication chain. You should disable this on systems that aren't
# using OpenAFS.
# $pam_afs: If you are using AFS, then you can have pam_afs_session placed
# into the PAM authentication chain. You should disable this on systems
# that aren't using OpenAFS.
# Default: true
# If you want to require Duo on login, set pam_duo to true. This flag will
......@@ -49,7 +49,7 @@
#
# Default: undef
# $extra_gssapi_only_users: See documentation in base::ssh::config::sshd.
# $extra_skip_duo_users: See documentation in base::ssh::config::sshd.
# Default: []
class base::ssh(
......@@ -71,7 +71,7 @@ class base::ssh(
$pubkey = false,
$root_authorized_keys = undef,
$filter_sunetids = [],
$extra_gssapi_only_users = [],
$extra_skip_duo_users = [],
){
# Install the openssh server package.
......@@ -131,15 +131,6 @@ class base::ssh(
notify => Service['ssh'],
}
# Install sshd (server) configuration file.
base::ssh::config::sshd { '/etc/ssh/sshd_config':
ensure => present,
pam_duo => $pam_duo,
pubkey => $pubkey,
extra_gssapi_only_users => $extra_gssapi_only_users,
notify => Service['ssh'],
}
if ($root_authorized_keys) {
file { '/root/.ssh/authorized_keys':
ensure => present,
......@@ -156,6 +147,26 @@ class base::ssh(
}
}
# If we have $root_authorized_keys defined, then this means we want to
# allow logins to the root account with an ssh key-pair. So, set
# $rootlogin_with_keypair appropriately and use it in the
# base::ssh::config::sshd define below.
if ($root_authorized_keys) {
$rootlogin_with_keypair = true
} else {
$rootlogin_with_keypair = false
}
# Install sshd (server) configuration file.
base::ssh::config::sshd { '/etc/ssh/sshd_config':
ensure => present,
pam_duo => $pam_duo,
pubkey => $pubkey,
rootlogin_with_keypair => $rootlogin_with_keypair,
extra_skip_duo_users => $extra_skip_duo_users,
notify => Service['ssh'],
}
# Ignore routine ssh messages.
file { '/etc/filter-syslog/ssh':
content => template('base/ssh/etc/filter-syslog/ssh.erb'),
......
......@@ -31,12 +31,17 @@
# connections per network connection, set it here. This is particularly
# useful for bastion hosts.
# Default: undef
# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
#
# $rootlogin_with_keypair: Allow the us of a public/private key-pair when
# logging in as "root".
# Default: false
#
# $extra_skip_duo_users: Due to problems with Duo, we skip Duo for users
# matching these strings: root,root.*,*.root,admin.*,*.admin. These users
# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
# ADDITION to this list, set this parameter to an array of such
# accounts. For example, if you want to skip Duo authentication for
# can ONLY use GSSAPI (no passwords) or, if $rootlogin_with_keypair is set
# to true, with a public/private key-pair. If you want to skip Duo for
# accounts IN ADDITION to this list, set this parameter to an array of
# such accounts. For example, if you want to skip Duo authentication for
#
# root
# root.*
......@@ -45,7 +50,7 @@
# *.admin
# wallet
#
# you would set $extra_gssapi_only_users to ['wallet']
# you would set $extra_skip_duo_users to ['wallet']
# Default: []
define base::ssh::config::sshd(
......@@ -61,9 +66,10 @@ define base::ssh::config::sshd(
$listen_addresses = 'all',
$listen_ports = '22',
$rootloginwithpswd = 'no',
$rootlogin_with_keypair = false,
$pam_duo = false,
$max_sessions = 'NOT DEFINED',
$extra_gssapi_only_users = [],
$extra_skip_duo_users = [],
) {
if ($source) {
$template = undef
......
......@@ -135,11 +135,18 @@ MaxSessions <%= @max_sessions %>
# Because we are enabling Duo but root logins cannot use Duo (yet),
# we have to configure the authentications for root separately.
<%-
gssapi_only = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
gssapi_only = gssapi_only + @extra_gssapi_only_users
gssapi_only_list = gssapi_only.join(',')
skip_duo_base = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
skip_duo_all = skip_duo_base + @extra_skip_duo_users
skip_duo_list = skip_duo_all.join(',')
# Do we allow users in skip_duo_list to use public/private key-pair?
if (@rootlogin_with_keypair) then
allow_publickey = ' publickey'
else
allow_publickey = ''
end
-%>
Match User <%= gssapi_only_list %>
AuthenticationMethods gssapi-with-mic
Match User <%= skip_duo_list %>
AuthenticationMethods gssapi-with-mic<%= allow_publickey %>
MaxSessions 3
<% end -%>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment