From 1c31982a3280cf06941937c25c968135c4d03e1c Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Tue, 1 Aug 2017 08:48:43 -0700
Subject: [PATCH] add extra_gssapi_only_user to ssh
---
NEWS | 3 +++
manifests/ssh.pp | 19 ++++++++++++-------
manifests/ssh/config/sshd.pp | 17 +++++++++++++++++
templates/ssh/sshd_config.erb | 7 ++++++-
4 files changed, 38 insertions(+), 8 deletions(-)
diff --git a/NEWS b/NEWS
index fa8cdaa..a2a10a5 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ unreleased (2017-??-??)
Starting the work to make the code Puppet 4 compatible. [adamhl]
+ [ssh] Add $extra_gssapi_only_users parameter to list accounts extra
+ accounts that should skip Duo. [adamhl]
+
release/005.009 (2017-07-07)
[ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index a6e9ff6..2f289a0 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -49,6 +49,9 @@
#
# Default: undef
+# $extra_gssapi_only_users: See documentation in base::ssh::config::sshd.
+# Default: []
+
class base::ssh(
$pam_afs = true,
$pam_duo = false,
@@ -65,9 +68,10 @@ class base::ssh(
'192.168.0.0/16',
'204.63.224.0/21'
],
- $pubkey = false,
- $root_authorized_keys = undef,
- $filter_sunetids = [],
+ $pubkey = false,
+ $root_authorized_keys = undef,
+ $filter_sunetids = [],
+ $extra_gssapi_only_users = [],
){
# Install the openssh server package.
@@ -129,10 +133,11 @@ class base::ssh(
# Install sshd (server) configuration file.
base::ssh::config::sshd { '/etc/ssh/sshd_config':
- ensure => present,
- pam_duo => $pam_duo,
- pubkey => $pubkey,
- notify => Service['ssh'],
+ ensure => present,
+ pam_duo => $pam_duo,
+ pubkey => $pubkey,
+ extra_gssapi_only_users => $extra_gssapi_only_users,
+ notify => Service['ssh'],
}
if ($root_authorized_keys) {
diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index 3c0cbf1..b1ec28c 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -32,6 +32,22 @@
# useful for bastion hosts.
# Default: undef
+# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
+# matching these strings: root,root.*,*.root,admin.*,*.admin. These users
+# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
+# ADDITION to this list, set this parameter to an array of such
+# accounts. For example, if you want to skip Duo authentication for
+#
+# root
+# root.*
+# *.root
+# admin.*
+# *.admin
+# wallet
+#
+# you would set $extra_gssapi_only_users to ['wallet']
+# Default: []
+
define base::ssh::config::sshd(
$ensure = 'present',
$gitolite = false,
@@ -47,6 +63,7 @@ define base::ssh::config::sshd(
$rootloginwithpswd = 'no',
$pam_duo = false,
$max_sessions = 'NOT DEFINED',
+ $extra_gssapi_only_users = [],
) {
if ($source) {
$template = undef
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 635a079..a0fcf05 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -134,7 +134,12 @@ MaxSessions <%= @max_sessions %>
# Because we are enabling Duo but root logins cannot use Duo (yet),
# we have to configure the authentications for root separately.
-Match User root,root.*,*.root,admin.*,*.admin
+<%-
+ gssapi_only = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
+ gssapi_only = admin_users + @extra_gssapi_only_users
+ gssapi_only_list = admin_users.join(',')
+-%>
+Match User <%= gssapi_only_list %>
AuthenticationMethods gssapi-with-mic
MaxSessions 3
<% end -%>
--
GitLab