From 5c5edd9e3857ca0a2db9b8d002fffe33079217ae Mon Sep 17 00:00:00 2001
From: "A. Karl Kornel" <akkornel@stanford.edu>
Date: Fri, 9 Sep 2016 11:05:52 -0700
Subject: [PATCH] ssh: Add support for not using AFS in the PAM stack.

---
 manifests/ssh.pp                 | 7 +++++++
 manifests/ssh/pam.pp             | 1 +
 templates/ssh/etc/pam.d/sshd.erb | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index 32e11a2..2ca3a5f 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -3,6 +3,11 @@
 # system, we lock connections down to campus with iptables by default, and we
 # have a few subclasses that allow things like host keys.
 
+# If you are using AFS, then you can have pam_afs_session placed into the
+# PAM authentication chain.  You should disable this on systems that aren't
+# using OpenAFS.
+# Default: true
+
 # If you want to require Duo on login, set pam_duo to true. This flag will
 # load the appropriate Duo code (via base::duo) and change the sshd_config
 # file so that Duo is required for non-root logins. If you want Duo for
@@ -10,6 +15,7 @@
 # Default: false
 
 class base::ssh(
+  $pam_afs = true,
   $pam_duo = false
 ){
 
@@ -29,6 +35,7 @@ class base::ssh(
 
   # Setup /etc/pam.d/sshd to require Duo on regular logins.
   class { 'ssh::pam':
+    pam_afs => $pam_afs,
     pam_duo => $pam_duo,
   }
 
diff --git a/manifests/ssh/pam.pp b/manifests/ssh/pam.pp
index a74f488..b9a8dd7 100644
--- a/manifests/ssh/pam.pp
+++ b/manifests/ssh/pam.pp
@@ -6,6 +6,7 @@
 # Currently, only Debian is supported when $pam_duo is true.
 
 class ssh::pam (
+  $pam_afs = true,
   $pam_duo = false
 ){
 
diff --git a/templates/ssh/etc/pam.d/sshd.erb b/templates/ssh/etc/pam.d/sshd.erb
index 166eddb..5625053 100644
--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -9,12 +9,16 @@
 #    credential), then "jump over" the pam_duo module to step 3. If not,
 #    go to the next module in the stack (2).
 # 2. If the user is _not_ root, require Duo.
+<% if @pam_afs %>
 # 3. Set up the AFS session and then, whether the AFS sesssion setup works
 #    or not, quit the pam stack
+<% end %>
 
 auth    [success=1 default=ignore]  pam_succeed_if.so uid eq 0
 auth    required                    pam_duo.so conf=/etc/security/pam_duo_ssh.conf
+<% if @pam_afs %>
 auth    [success=done default=die]  pam_afs_session.so
+<% end %>
 
 ##############################################################################
 # account
-- 
GitLab