add extra_gssapi_only_user to ssh

1c31982a · Adam Lewenberg · c40acf1c · 1c31982a · 1c31982a · 1c31982a
Verified Commit 1c31982a authored 7 years ago by Adam Lewenberg
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ unreleased (2017-??-??)
    Starting the work to make the code Puppet 4 compatible. [adamhl]
+    [ssh] Add $extra_gssapi_only_users parameter to list accounts extra
+    accounts that should skip Duo. [adamhl]
 release/005.009 (2017-07-07)
    [ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help

--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -49,6 +49,9 @@
 #
 # Default: undef
+# $extra_gssapi_only_users: See documentation in base::ssh::config::sshd.
+# Default: []
 class base::ssh(
  $pam_afs               = true,
  $pam_duo               = false,
@@ -65,9 +68,10 @@ class base::ssh(
      '192.168.0.0/16',
      '204.63.224.0/21'
    ],
-  $pubkey                = false,
+  $pubkey                  = false,
-  $root_authorized_keys  = undef,
+  $root_authorized_keys    = undef,
-  $filter_sunetids       = [],
+  $filter_sunetids         = [],
+  $extra_gssapi_only_users = [],
 ){
  # Install the openssh server package.
@@ -129,10 +133,11 @@ class base::ssh(
  # Install sshd (server) configuration file.
  base::ssh::config::sshd { '/etc/ssh/sshd_config':
-    ensure  => present,
+    ensure                  => present,
-    pam_duo => $pam_duo,
+    pam_duo                 => $pam_duo,
-    pubkey  => $pubkey,
+    pubkey                  => $pubkey,
-    notify  => Service['ssh'],
+    extra_gssapi_only_users => $extra_gssapi_only_users,
+    notify                  => Service['ssh'],
  }
  if ($root_authorized_keys) {

--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -32,6 +32,22 @@
 # useful for bastion hosts.
 # Default: undef
+# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
+# matching these strings: root,root.*,*.root,admin.*,*.admin. These users
+# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
+# ADDITION to this list, set this parameter to an array of such
+# accounts. For example, if you want to skip Duo authentication for
+#
+#         root
+#         root.*
+#         *.root
+#         admin.*
+#         *.admin
+#         wallet
+#
+# you would set $extra_gssapi_only_users to ['wallet']
+# Default: []
 define base::ssh::config::sshd(
  $ensure            = 'present',
  $gitolite          = false,
@@ -47,6 +63,7 @@ define base::ssh::config::sshd(
  $rootloginwithpswd = 'no',
  $pam_duo           = false,
  $max_sessions      = 'NOT DEFINED',
+  $extra_gssapi_only_users = [],
 ) {
  if ($source) {
    $template = undef

--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -134,7 +134,12 @@ MaxSessions <%= @max_sessions %>
 # Because we are enabling Duo but root logins cannot use Duo (yet),
 # we have to configure the authentications for root separately.
-Match User root,root.*,*.root,admin.*,*.admin
+<%-
+  gssapi_only      = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
+  gssapi_only      = admin_users + @extra_gssapi_only_users
+  gssapi_only_list = admin_users.join(',')
+-%>
+Match User <%= gssapi_only_list %>
  AuthenticationMethods gssapi-with-mic
  MaxSessions 3
 <% end -%>