From 33067747fd235c21ea8bb22dd352d5927c8b2106 Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Fri, 6 Nov 2015 14:24:47 -0800
Subject: [PATCH] handle case where pam_duo is true and we only want GSSAP root
 logins

---
 manifests/ssh/config/sshd.pp  | 3 +++
 templates/ssh/sshd_config.erb | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index e3b3464..af457f2 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -20,6 +20,9 @@
 #
 # If you want to require Duo on login, set pam_duo to true (defaults to
 # false).
+#
+# If $rootloginwithpswd is set to 'no' then we allow root logins using
+# GSSAPI only.
 
 define base::ssh::config::sshd(
   $ensure            = 'present',
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index b0f1ad1..27525fd 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -105,3 +105,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
     ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
+
+# Because we are enabling Duo but root logins cannot use Duo (yet),
+# we have to configure the authentications for root separately.
+Match User root
+  AuthenticationMethods gssapi-with-mic
+  MaxSessions 3
+<% end -%>
-- 
GitLab