Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
This README file explains how to use base::sudo.
base::sudo can be used to enable and configure sudo for a system, with or
without Duo.
base::sudo is a parameterized class. If you include or require it without any
parameters, the only thing that happens is, the sudo package is installed. On
Debian systems, that means anyone in the local "sudo" group has sudo access. On
RHEL-family systems, that means anyone in the local "wheel" group has sudo
access. To set the sudo timeout (which defaults to 30 minutes), set the
$timeout parameter.
WARNING: Without any parameters, this configuration means that, when you use
sudo, you will be sending your password over the wire, and it will sit in
memory on that remote system (which may be swapped to disk).
base::sudo also supports using Duo two-factor as the authentication method,
instead of password. To enable this, set the "duo" parameter to true, and set
the "duo_sudoers" parameter to the list of people who will have this sudo
access.
TIP: If you have a base::user class that defines your list of root users, you
could simply pass that list into base::sudo.
WARNING: To be clear, setting the "duo" parameter to true will completely
disable password-based authentication for sudo!
There are two additional Duo-related parameters that you should look at:
duo_fail_secure: If you set this to true, and the Duo service is
unavailable or blocked, the sudo will fail. Normally, the sudo would succeed.
This parameter does not apply if the Duo service is working: If you fail to
answer a Duo call/push, or you deny the Duo call/push, then your sudo would
still fail.
duo_gecos: If your local username on a system matches your username in Duo,
then set this to false. The default is to take your Duo username from the
GECOS field of the passwd file (Puppet calls this field the "comment" field).