Skip to content
Snippets Groups Projects
Commit 33067747 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

handle case where pam_duo is true and we only want GSSAP root logins

parent 8e274164
No related branches found
Tags release/004.056
No related merge requests found
Hide whitespace changes
Inline Side-by-side
manifests/ssh/config/sshd.pp
+ 3
0
View file @ 33067747
...@@ -20,6 +20,9 @@ ...@@ -20,6 +20,9 @@
# #
# If you want to require Duo on login, set pam_duo to true (defaults to # If you want to require Duo on login, set pam_duo to true (defaults to
# false). # false).
#
# If $rootloginwithpswd is set to 'no' then we allow root logins using
# GSSAPI only.
define base::ssh::config::sshd( define base::ssh::config::sshd(
$ensure = 'present', $ensure = 'present',
......
templates/ssh/sshd_config.erb
+ 8
0
View file @ 33067747
...@@ -105,3 +105,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server ...@@ -105,3 +105,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
Match User gitolite Match User gitolite
ForceCommand /usr/share/gitolite/gitolite-wrapper ForceCommand /usr/share/gitolite/gitolite-wrapper
<% end -%> <% end -%>
<% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
# Because we are enabling Duo but root logins cannot use Duo (yet),
# we have to configure the authentications for root separately.
Match User root
AuthenticationMethods gssapi-with-mic
MaxSessions 3
<% end -%>
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment