Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
B
base
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Lonlone Lee
base
Commits
e59e41a2
Verified
Commit
e59e41a2
authored
Oct 27, 2017
by
Adam Lewenberg
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
support special case where root login uses public key
parent
3c64c3bb
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
54 additions
and
27 deletions
+54
-27
NEWS
NEWS
+4
-1
manifests/ssh.pp
manifests/ssh.pp
+25
-14
manifests/ssh/config/sshd.pp
manifests/ssh/config/sshd.pp
+13
-7
templates/ssh/sshd_config.erb
templates/ssh/sshd_config.erb
+12
-5
No files found.
NEWS
View file @
e59e41a2
unreleased
(
207
x
-
xx
-
xx
)
[
ssh
]
Change
interface
parameter
.
The
parameter
base
::
ssh
::
extra_gssapi_only_users
has
been
renamed
to
base
::
ssh
::
extra_skip_duo_users
to
more
accurately
reflect
what
this
parameter
does
.
[
adamhl
]
release
/
005.010
(
2017
-
10
-
02
)
...
...
manifests/ssh.pp
View file @
e59e41a2
...
...
@@ -3,9 +3,9 @@
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
#
If you are using AFS, then you can have pam_afs_session placed into the
#
PAM authentication chain. You should disable this on systems that aren't
# using OpenAFS.
#
$pam_afs: If you are using AFS, then you can have pam_afs_session placed
#
into the PAM authentication chain. You should disable this on systems
#
that aren't
using OpenAFS.
# Default: true
# If you want to require Duo on login, set pam_duo to true. This flag will
...
...
@@ -49,7 +49,7 @@
#
# Default: undef
# $extra_
gssapi_only
_users: See documentation in base::ssh::config::sshd.
# $extra_
skip_duo
_users: See documentation in base::ssh::config::sshd.
# Default: []
class
base::ssh
(
...
...
@@ -71,7 +71,7 @@ class base::ssh(
$pubkey
=
false
,
$root_authorized_keys
=
undef
,
$filter_sunetids
=
[],
$extra_
gssapi_only_users
=
[],
$extra_
skip_duo_users
=
[],
){
# Install the openssh server package.
...
...
@@ -131,15 +131,6 @@ class base::ssh(
notify
=>
Service
[
'ssh'
],
}
# Install sshd (server) configuration file.
base::ssh::config::sshd
{
'/etc/ssh/sshd_config'
:
ensure
=>
present
,
pam_duo
=>
$pam_duo
,
pubkey
=>
$pubkey
,
extra_gssapi_only_users
=>
$extra_gssapi_only_users
,
notify
=>
Service
[
'ssh'
],
}
if
(
$root_authorized_keys
)
{
file
{
'/root/.ssh/authorized_keys'
:
ensure
=>
present
,
...
...
@@ -156,6 +147,26 @@ class base::ssh(
}
}
# If we have $root_authorized_keys defined, then this means we want to
# allow logins to the root account with an ssh key-pair. So, set
# $rootlogin_with_keypair appropriately and use it in the
# base::ssh::config::sshd define below.
if
(
$root_authorized_keys
)
{
$rootlogin_with_keypair
=
true
}
else
{
$rootlogin_with_keypair
=
false
}
# Install sshd (server) configuration file.
base::ssh::config::sshd
{
'/etc/ssh/sshd_config'
:
ensure
=>
present
,
pam_duo
=>
$pam_duo
,
pubkey
=>
$pubkey
,
rootlogin_with_keypair
=>
$rootlogin_with_keypair
,
extra_skip_duo_users
=>
$extra_skip_duo_users
,
notify
=>
Service
[
'ssh'
],
}
# Ignore routine ssh messages.
file
{
'/etc/filter-syslog/ssh'
:
content
=>
template
(
'base/ssh/etc/filter-syslog/ssh.erb'
),
...
...
manifests/ssh/config/sshd.pp
View file @
e59e41a2
...
...
@@ -31,12 +31,17 @@
# connections per network connection, set it here. This is particularly
# useful for bastion hosts.
# Default: undef
# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
#
# $rootlogin_with_keypair: Allow the us of a public/private key-pair when
# logging in as "root".
# Default: false
#
# $extra_skip_duo_users: Due to problems with Duo, we skip Duo for users
# matching these strings: root,root.*,*.root,admin.*,*.admin. These users
# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
# ADDITION to this list, set this parameter to an array of such
# accounts. For example, if you want to skip Duo authentication for
# can ONLY use GSSAPI (no passwords) or, if $rootlogin_with_keypair is set
# to true, with a public/private key-pair. If you want to skip Duo for
# accounts IN ADDITION to this list, set this parameter to an array of
# such accounts. For example, if you want to skip Duo authentication for
#
# root
# root.*
...
...
@@ -45,7 +50,7 @@
# *.admin
# wallet
#
# you would set $extra_
gssapi_only
_users to ['wallet']
# you would set $extra_
skip_duo
_users to ['wallet']
# Default: []
define
base::ssh::config::sshd
(
...
...
@@ -61,9 +66,10 @@ define base::ssh::config::sshd(
$listen_addresses
=
'all'
,
$listen_ports
=
'22'
,
$rootloginwithpswd
=
'no'
,
$rootlogin_with_keypair
=
false
,
$pam_duo
=
false
,
$max_sessions
=
'NOT DEFINED'
,
$extra_
gssapi_only
_users
=
[],
$extra_
skip_duo
_users
=
[],
)
{
if
(
$source
)
{
$template
=
undef
...
...
templates/ssh/sshd_config.erb
View file @
e59e41a2
...
...
@@ -135,11 +135,18 @@ MaxSessions <%= @max_sessions %>
# Because we are enabling Duo but root logins cannot use Duo (yet),
# we have to configure the authentications for root separately.
<%-
gssapi_only
=
[
'root'
,
'root.*'
,
'*.root'
,
'admin.*'
,
'*.admin'
]
gssapi_only
=
gssapi_only
+
@extra_gssapi_only_users
gssapi_only_list
=
gssapi_only
.
join
(
','
)
skip_duo_base
=
[
'root'
,
'root.*'
,
'*.root'
,
'admin.*'
,
'*.admin'
]
skip_duo_all
=
skip_duo_base
+
@extra_skip_duo_users
skip_duo_list
=
skip_duo_all
.
join
(
','
)
# Do we allow users in skip_duo_list to use public/private key-pair?
if
(
@rootlogin_with_keypair
)
then
allow_publickey
=
' publickey'
else
allow_publickey
=
''
end
-%>
Match User
<%=
gssapi_only
_list
%>
AuthenticationMethods gssapi-with-mic
Match User
<%=
skip_duo
_list
%>
AuthenticationMethods gssapi-with-mic
<%=
allow_publickey
%>
MaxSessions 3
<%
end
-%>
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment