From 4d0a1f20cac000aa17e53fc935d88a2f92854fe2 Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Wed, 4 Nov 2015 08:37:11 -0800
Subject: [PATCH] Initial code for new base::duo and sudo-with-Duo support.

---
 NEWS                                 |  5 +++
 manifests/duo.pp                     | 26 +++++++++++++
 manifests/sudo.pp                    | 55 +++++++++++++++++++++++++---
 templates/sudo/etc/pam.d/sudo.erb    | 16 ++++++++
 templates/sudo/etc/sudoers.d/duo.erb |  9 +++++
 5 files changed, 106 insertions(+), 5 deletions(-)
 create mode 100644 manifests/duo.pp
 create mode 100644 templates/sudo/etc/pam.d/sudo.erb
 create mode 100644 templates/sudo/etc/sudoers.d/duo.erb

diff --git a/NEWS b/NEWS
index 184bae5..4268ca7 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+UNRELEASED (2015-11-04)
+
+    [sudo] Add an option to support sudo-with-Duo. (adamhl)
+    [duo]  New class to load Duo code and wallet object. (adamhl)
+
 release/004.055 (2015-10-08)
 
     [dns] Rewrite base::dns::cache so that it uses dnsmasq on jessie
diff --git a/manifests/duo.pp b/manifests/duo.pp
new file mode 100644
index 0000000..f08bc21
--- /dev/null
+++ b/manifests/duo.pp
@@ -0,0 +1,26 @@
+# Set up Duo. Note that this class does not _enable_ Duo for any service,
+# rather, it simply downloads the pam_duo software and the appropriate
+# wallet files that allow Duo to be used.
+
+# See base::sudo and base::ssh for services that leverage this class.
+
+# wallet_name: the name for the duo wallet object. Defaults to the
+# fully-qualified domain name of the host.
+
+class base::duo(
+  $wallet_name = $::fqdn
+){
+  # Pull in Duo's PAM integration package
+  package { 'libpam-duo': ensure => present }
+
+  # Install the duo configuration.  The object is not written to the
+  # default loaction because base::wallet will not overwrite the
+  # configuration file supplied with the package install.
+  $wallet_name_downcase = downcase($wallet_name)
+  base::wallet { $wallet_name_downcase:
+    ensure  => present,
+    type    => 'duo-pam',
+    path    => '/etc/security/pam_duo_su.conf',
+    require => Package['libpam-duo'],
+  }
+}
diff --git a/manifests/sudo.pp b/manifests/sudo.pp
index b500f00..ca3f7df 100644
--- a/manifests/sudo.pp
+++ b/manifests/sudo.pp
@@ -1,8 +1,53 @@
+# Installs sudo and, optionally, enables Duo for sudo.
+
+# $duo: enable pam_duo for sudo. Defaults to false.
+#
+# $duo_sudoers: A list of users that are allowed to call sudo.
+# Defaults to the empty array.
+#
+# Example.
+# To install sudo with no Duo support:
+#
+#   include base::sudo
+#
+# Example.
+# To install sudo WITH Duo support
 #
-# Installs sudo
+#   class { 'base::sudo':
+#     duo => true,
+#     duo_sudoers => ['adamhl', 'yuelu']
+#   }
+
+class base::sudo(
+  $duo         = false,
+  $duo_sudoers = [],
+){
+  package { 'sudo':
+    ensure => installed
+  }
+
+  # If duo is enabled, require base::duo and set up the
+  # sudoers file.
+  if ($duo) {
+    include base::duo
+
+    # Install the pam.d configuration that requires Duo on sudo.
+    file {'/etc/pam.d/sudo':
+      ensure  => present,
+      content => template('base/sudo/etc/pam.d/sudo.erb'),
+      require => Class['base::duo'],
+    }
 
-class base::sudo {
-    package { "sudo":
-        ensure => installed
+    # Install the suoders file. This takes the array $duo_sudoers
+    # and puts it into /etc/sudoers.d/duo
+    if (downcase($::osfamily) =~ /^debian$/) {
+      file {'/etc/sudoers.d/duo':
+        ensure  => present,
+        content => template('base/sudo/etc/sudoers.d/duo.erb'),
+        require => Package['sudo'],
+      }
+    } else {
+      fail("base::sudo with duo does not yet support ${::osfamily}.")
     }
-}
\ No newline at end of file
+  }
+}
diff --git a/templates/sudo/etc/pam.d/sudo.erb b/templates/sudo/etc/pam.d/sudo.erb
new file mode 100644
index 0000000..45b367d
--- /dev/null
+++ b/templates/sudo/etc/pam.d/sudo.erb
@@ -0,0 +1,16 @@
+#%PAM-1.0
+auth required pam_env.so
+
+# MUST COMMENT OUT OR IT WILL ASK FOR A PASSWORD:
+# auth requisite pam_unix.so nullok try_first_pass
+
+# Do a Duo authentication and, if successful, allow the sudo.
+# Otherwise, fail.
+
+auth sufficient pam_duo.so conf=/etc/security/pam_duo_su.conf
+auth required   pam_deny.so
+
+account    include      common-auth
+password   include      common-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
diff --git a/templates/sudo/etc/sudoers.d/duo.erb b/templates/sudo/etc/sudoers.d/duo.erb
new file mode 100644
index 0000000..7527c35
--- /dev/null
+++ b/templates/sudo/etc/sudoers.d/duo.erb
@@ -0,0 +1,9 @@
+<%
+  @duo_sudoers.each do |sudoer|
+-%>
+<%= sudoer %>   ALL = (ALL) ALL
+<%
+  end
+-%>
+
+
-- 
GitLab