diff --git a/NEWS b/NEWS
index 3c720fd417d84b3e84c58b2ec81cbab3492d40d4..8913ef2bbcccb4ff14c09dc7e8beec6b6a502372 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
unreleased (207x-xx-xx)
-
+ [ssh] Change interface parameter. The parameter
+ base::ssh::extra_gssapi_only_users has been renamed to
+ base::ssh::extra_skip_duo_users to more accurately reflect what this
+ parameter does. [adamhl]
release/005.010 (2017-10-02)
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index 2f289a0451775805d5701970dcc83ed9749f6585..4af1be1f5c0723a6e4f970ed60abedeb1ae23af8 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -3,9 +3,9 @@
# system, we lock connections down to campus with iptables by default, and we
# have a few subclasses that allow things like host keys.
-# If you are using AFS, then you can have pam_afs_session placed into the
-# PAM authentication chain. You should disable this on systems that aren't
-# using OpenAFS.
+# $pam_afs: If you are using AFS, then you can have pam_afs_session placed
+# into the PAM authentication chain. You should disable this on systems
+# that aren't using OpenAFS.
# Default: true
# If you want to require Duo on login, set pam_duo to true. This flag will
@@ -49,7 +49,7 @@
#
# Default: undef
-# $extra_gssapi_only_users: See documentation in base::ssh::config::sshd.
+# $extra_skip_duo_users: See documentation in base::ssh::config::sshd.
# Default: []
class base::ssh(
@@ -71,7 +71,7 @@ class base::ssh(
$pubkey = false,
$root_authorized_keys = undef,
$filter_sunetids = [],
- $extra_gssapi_only_users = [],
+ $extra_skip_duo_users = [],
){
# Install the openssh server package.
@@ -131,15 +131,6 @@ class base::ssh(
notify => Service['ssh'],
}
- # Install sshd (server) configuration file.
- base::ssh::config::sshd { '/etc/ssh/sshd_config':
- ensure => present,
- pam_duo => $pam_duo,
- pubkey => $pubkey,
- extra_gssapi_only_users => $extra_gssapi_only_users,
- notify => Service['ssh'],
- }
-
if ($root_authorized_keys) {
file { '/root/.ssh/authorized_keys':
ensure => present,
@@ -156,6 +147,26 @@ class base::ssh(
}
}
+ # If we have $root_authorized_keys defined, then this means we want to
+ # allow logins to the root account with an ssh key-pair. So, set
+ # $rootlogin_with_keypair appropriately and use it in the
+ # base::ssh::config::sshd define below.
+ if ($root_authorized_keys) {
+ $rootlogin_with_keypair = true
+ } else {
+ $rootlogin_with_keypair = false
+ }
+
+ # Install sshd (server) configuration file.
+ base::ssh::config::sshd { '/etc/ssh/sshd_config':
+ ensure => present,
+ pam_duo => $pam_duo,
+ pubkey => $pubkey,
+ rootlogin_with_keypair => $rootlogin_with_keypair,
+ extra_skip_duo_users => $extra_skip_duo_users,
+ notify => Service['ssh'],
+ }
+
# Ignore routine ssh messages.
file { '/etc/filter-syslog/ssh':
content => template('base/ssh/etc/filter-syslog/ssh.erb'),
diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index b1ec28c865f08e215af6c9716a7a9d878ba1e652..e71e90c0afbb6cb1068552fc4fb883c707ac268a 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -31,12 +31,17 @@
# connections per network connection, set it here. This is particularly
# useful for bastion hosts.
# Default: undef
-
-# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
+#
+# $rootlogin_with_keypair: Allow the us of a public/private key-pair when
+# logging in as "root".
+# Default: false
+#
+# $extra_skip_duo_users: Due to problems with Duo, we skip Duo for users
# matching these strings: root,root.*,*.root,admin.*,*.admin. These users
-# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
-# ADDITION to this list, set this parameter to an array of such
-# accounts. For example, if you want to skip Duo authentication for
+# can ONLY use GSSAPI (no passwords) or, if $rootlogin_with_keypair is set
+# to true, with a public/private key-pair. If you want to skip Duo for
+# accounts IN ADDITION to this list, set this parameter to an array of
+# such accounts. For example, if you want to skip Duo authentication for
#
# root
# root.*
@@ -45,7 +50,7 @@
# *.admin
# wallet
#
-# you would set $extra_gssapi_only_users to ['wallet']
+# you would set $extra_skip_duo_users to ['wallet']
# Default: []
define base::ssh::config::sshd(
@@ -61,9 +66,10 @@ define base::ssh::config::sshd(
$listen_addresses = 'all',
$listen_ports = '22',
$rootloginwithpswd = 'no',
+ $rootlogin_with_keypair = false,
$pam_duo = false,
$max_sessions = 'NOT DEFINED',
- $extra_gssapi_only_users = [],
+ $extra_skip_duo_users = [],
) {
if ($source) {
$template = undef
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 3e52640c148433ec8ef676c18311f5b93c3ffec7..31713ce80684603ad441d4aca499dad5cce41db6 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -135,11 +135,18 @@ MaxSessions <%= @max_sessions %>
# Because we are enabling Duo but root logins cannot use Duo (yet),
# we have to configure the authentications for root separately.
<%-
- gssapi_only = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
- gssapi_only = gssapi_only + @extra_gssapi_only_users
- gssapi_only_list = gssapi_only.join(',')
+ skip_duo_base = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
+ skip_duo_all = skip_duo_base + @extra_skip_duo_users
+ skip_duo_list = skip_duo_all.join(',')
+
+ # Do we allow users in skip_duo_list to use public/private key-pair?
+ if (@rootlogin_with_keypair) then
+ allow_publickey = ' publickey'
+ else
+ allow_publickey = ''
+ end
-%>
-Match User <%= gssapi_only_list %>
- AuthenticationMethods gssapi-with-mic
+Match User <%= skip_duo_list %>
+ AuthenticationMethods gssapi-with-mic<%= allow_publickey %>
MaxSessions 3
<% end -%>