Add support for password or gssapi authentication

Pull in Darren's support for password or gssapi authentication. Turn the existing classes into parameterized classes to allow the specification of multiple ports. Bastions require support for multiple ports. The class 'pam_duo' defaults to port 22. The 'pam_duo::password' and 'pam_duo::gssapi' classes default to port 22 and port 44 which matches the previous behaviour of the classes.

Add support for password or gssapi authentication
Pull in Darren's support for password or gssapi authentication. Turn the existing classes into parameterized classes to allow the specification of multiple ports. Bastions require support for multiple ports. The class 'pam_duo' defaults to port 22. The 'pam_duo::password' and 'pam_duo::gssapi' classes default to port 22 and port 44 which matches the previous behaviour of the classes.
524288a3 · Bill MacAllister · 9af87046 · 524288a3 · 524288a3 · 524288a3
Commit 524288a3 authored 10 years ago by Bill MacAllister
--- a/NEWS
+++ b/NEWS
+release/001.003 (2015-03-13)
+
+    Pull in Darren's support for password or gssapi authentication.
+    Turn the existing classes into parameterized classes to support
+    the specification of multiple ports if required.  The changes
+    requires base module release/004.033 or greater.  The class
+    'pam_duo' defaults to port 22.  The 'pam_duo::password' and
+    'pam_duo::gssapi' classes default to port 22 and port 44 which
+    matches the previous behaviour of the classes. (whm)
+
 release/001.002 (2014-12-16)

    Restructure the code to add support for password and GSS-API 

--- a/files/etc/pam.d/sshd_both
+++ b/files/etc/pam.d/sshd_both
+# Configuration requiring duo authentication for normal logins and
+# allowing root logins without two stepping.
+
+##############################################################################
+# auth
+##############################################################################
+
+auth    [success=1 default=ignore]  pam_succeed_if.so uid eq 0
+auth    required                    pam_duo.so conf=/etc/security/pam_duo_su.conf
+auth    [success=done default=die]  pam_afs_session.so
+auth    [success=ok default=die]    pam_krb5.so use_first_pass forwardable
+auth    [success=done]              pam_afs_session.so
+
+##############################################################################
+# account
+##############################################################################
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+##############################################################################
+# session
+##############################################################################
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+
+##############################################################################
+# Password
+##############################################################################
+
+@include common-password
--- a/manifests/gssapi.pp
+++ b/manifests/gssapi.pp
@@ -7,8 +7,11 @@
 # While the define does accept the fdqn for the host it is not
 # expected that this will ever need to be specified.

-class pam_duo::gssapi {
-  include pam_duo::gssapi::ssh
+class pam_duo::gssapi (
+  $port = ['22', '44']
+) {
+
+  class { 'pam_duo::gssapi::ssh': port => $port }

  # Variable to make manifest lines more readable, i.e. shorter.
  $etc = 'puppet:///modules/pam_duo/etc'
@@ -27,8 +30,8 @@ class pam_duo::gssapi {
  # Modify the sshd configuration to require both a GSS-API and a PAM
  # authentication.
  file {'/etc/pam.d/sshd':
-    ensure => present,
-    source => "$etc/pam.d/sshd_gssapi";
+    ensure  => present,
+    source => "$etc/pam.d/sshd_gssapi",
  }

  # Install the duo configuration.  Right now this object must be
@@ -44,8 +47,13 @@ class pam_duo::gssapi {
 }

 # Class to override the base::ssh configuration.
-class pam_duo::gssapi::ssh inherits base::ssh {
+class pam_duo::gssapi::ssh ( $port ) inherits base::ssh {
+  # TODO: use template for configuring sshd for RHEL as well as
+  # Debian/Ubuntu This probably breaks rhel5 (and 6?)
+  if $::operatingsystem =~ /^(RedHat|CentOS)$/ and $::lsbmajdistrelease < 6 {
+    fail ("pam_duo doesn't support this platform yet.")
+  }
  Base::Ssh::Config::Sshd['/etc/ssh/sshd_config'] {
-    source => 'puppet:///modules/pam_duo/etc/ssh/sshd_config_gssapi',
+    content => template('pam_duo/etc/ssh/sshd_config_gssapi'),
  }
 }
--- a/manifests/init.pp
+++ b/manifests/init.pp
+# Generate the configuration to enforce the following policies:
+#
+#  * Require GSS-API for remote root logins.
+#  * Require GSS-API or password for normal user, i.e. non root, logins.
+#  * Require Duo two step authentication for normal users.
+#
+# While the define does accept the fdqn for the host it is not
+# expected that this will ever need to be specified.
+
+class pam_duo (
+  $port = ['22']
+) {
+  class { 'pam_duo::ssh': port => $port }
+
+  # Variable to make manifest lines more readable, i.e. shorter.
+  $etc = 'puppet:///modules/pam_duo/etc'
+
+  package { 'libpam-duo': ensure => present }
+
+  # A newer version of sshd is required for wheezy and Ubuntu systems.
+  if ( $::operatingsystem == 'Debian' and $::lsbmajdistrelease >= 7 ) or
+      ( $::operatingsystem == 'Ubuntu' and $::lsbmajdistrelease >= 13 ) {
+    file {
+      '/etc/apt/preferences.d/openssh':
+        ensure => present,
+        source => "$etc/apt/preferences.d/openssh",
+        notify => [ Exec['aptitude update'], Exec['update ssh'] ],
+    }
+    exec { 'update ssh':
+      command     => 'aptitude -y install openssh-server',
+      provider    => shell,
+      refreshonly => true,
+      require     => Exec['aptitude update'],
+    }
+  }
+
+  # Modify the sshd configuration to require both a GSS-API and a PAM
+  # authentication.
+  file {'/etc/pam.d/sshd':
+    ensure => present,
+    source => "$etc/pam.d/sshd_both",
+  }
+
+  # Install the duo configuration.  Right now this object must be
+  # pre-created.  The object is not written to the default loaction
+  # because base::wallet will not over write the configuration file
+  # supplied with the package install.
+  base::wallet { $::fqdn_lc:
+    ensure  => present,
+    type    => 'duo-pam',
+    path    => '/etc/security/pam_duo_su.conf',
+    require => Package['libpam-duo'],
+  }
+}
+
+# Class to override the base::ssh configuration.
+class pam_duo::ssh ( $port ) inherits base::ssh {
+  # TODO: use template for configuring sshd for RHEL as well as
+  # Debian/Ubuntu This probably breaks rhel5 (and 6?)
+  if $::operatingsystem =~ /^(RedHat|CentOS)$/ and $::lsbmajdistrelease < 6 {
+    fail ("pam_duo doesn't support this platform yet.")
+  }
+  Base::Ssh::Config::Sshd['/etc/ssh/sshd_config'] {
+    content => template('pam_duo/etc/ssh/sshd_config_both'),
+  }
+}
--- a/manifests/password.pp
+++ b/manifests/password.pp
@@ -3,9 +3,21 @@
 #  * Allow username/password or GSS-API authentication for normal users.
 #  * Require Duo two step authentication for normal users.
 #  * Require GSS-API for remote root logins without two step.
+#
+# Simple example
+# --------------
+#
+#     class { 'pam_duo::password': }
+#
+# Bastion host example
+# --------------------
+#
+#     class { 'pam_duo::password': port => '22,44' }

-class pam_duo::password {
-  include pam_duo::password::ssh
+class pam_duo::password (
+  $port = ['22', '44']
+) {
+  class { 'pam_duo::password::ssh': port => $port }

  # Variable to make manifest lines more readable, i.e. shorter.
  $etc = 'puppet:///modules/pam_duo/etc'
@@ -25,7 +37,7 @@ class pam_duo::password {
  # authentication.
  file {'/etc/pam.d/sshd':
    ensure => present,
-    source => "$etc/pam.d/sshd_password";
+    source => "$etc/pam.d/sshd_password",
  }

  # Install the duo configuration.  Right now this object must be
@@ -41,8 +53,13 @@ class pam_duo::password {
 }

 # Class to override the base::ssh configuration.
-class pam_duo::password::ssh inherits base::ssh {
+class pam_duo::password::ssh ( $port ) inherits base::ssh {
+  # TODO: use template for configuring sshd for RHEL as well as
+  # Debian/Ubuntu This probably breaks rhel5 (and 6?)
+  if $::operatingsystem =~ /^(RedHat|CentOS)$/ and $::lsbmajdistrelease < 6 {
+    fail ("pam_duo doesn't support this platform yet.")
+  }
  Base::Ssh::Config::Sshd['/etc/ssh/sshd_config'] {
-    source => 'puppet:///modules/pam_duo/etc/ssh/sshd_config_password',
+    content => template('pam_duo/etc/ssh/sshd_config_password'),
  }
 }
--- a/templates/etc/ssh/sshd_config_both
+++ b/templates/etc/ssh/sshd_config_both
+# sshd server configuration file, allowing root.  -*- conf -*-
+#
+# This sshd configuration permits root logins provided that they're done via
+# GSS-API.  It will eventually become the default.  The default configuration
+# values that we don't change are omitted from this file.
+
+# Ports to listen on
+<% [@port].flatten.each do |pt| -%>
+port <%= pt %>
+<% end -%>
+
+# Only support protocol version 2.
+Protocol 2
+
+# Only support RSA keys, not DSA keys.
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# Increase the login grace period from 120 seconds to 300 seconds (5 minutes).
+LoginGraceTime 300
+
+# Prevent attackers from running long password guessing attacks.
+MaxAuthTries 5
+
+# Disable all forms of host-based and public key authentication by default,
+# since we use GSS-API (or passwords).
+IgnoreRhosts yes
+RSAAuthentication no
+PubkeyAuthentication no
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+
+# Allow password authentication via PAM, but not empty passwords.
+ChallengeResponseAuthentication yes
+PasswordAuthentication yes
+UsePAM yes
+PermitEmptyPasswords no
+
+# Enable GSS-API authentication.
+GSSAPIStoreCredentialsOnRekey yes
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+GSSAPIKeyExchange yes
+GSSAPIStrictAcceptorCheck no
+GSSAPIStoreCredentialsOnRekey yes
+
+# Require both GSS-API and PAM.
+KbdInteractiveAuthentication yes
+KerberosAuthentication yes
+AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam password,keyboard-interactive:pam
+
+# Allow root login, but only if no password was used (meaning GSS-API).
+PermitRootLogin without-password
+
+# Allow X forwarding.
+X11Forwarding yes
+X11DisplayOffset 10
+
+# Disable printing of the MOTD, since this is done via other means on Debian.
+PrintMotd no
+
+# Send TCP keep-alive messages to keep the connection open through firewalls
+# and notice connection termination.
+TCPKeepAlive yes
+
+# Enable sftp.
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Allow more sessions
+MaxSessions 20
+
+# Handle root separately
+Match User root
+  AuthenticationMethods gssapi-with-mic
+  MaxSessions 3
+
--- a/files/etc/ssh/sshd_config_gssapi
+++ b/files/etc/ssh/sshd_config_gssapi
@@ -4,8 +4,10 @@
 # GSS-API.  It will eventually become the default.  The default configuration
 # values that we don't change are omitted from this file.

-Port 22
-Port 44
+# Ports to listen on
+<% [@port].flatten.each do |pt| -%>
+port <%= pt %>
+<% end -%>

 # Only support protocol version 2.
 Protocol 2
@@ -46,8 +48,7 @@ KbdInteractiveAuthentication yes
 AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam

 # Allow root login, but only if no password was used (meaning GSS-API).
-PermitRootLogin yes 
-
+PermitRootLogin without-password

 # Allow X forwarding.
 X11Forwarding yes

--- a/files/etc/ssh/sshd_config_password
+++ b/files/etc/ssh/sshd_config_password
@@ -4,8 +4,10 @@
 # GSS-API.  It will eventually become the default.  The default configuration
 # values that we don't change are omitted from this file.

-Port 22
-Port 44
+# Ports to listen on
+<% [@port].flatten.each do |pt| -%>
+port <%= pt %>
+<% end -%>

 # Only support protocol version 2.
 Protocol 2
@@ -47,8 +49,7 @@ AuthenticationMethods keyboard-interactive:pam
 #AuthenticationMethods keyboard-interactive:pam,gssapi-with-mic

 # Allow root login, but only if no password was used (meaning GSS-API).
-PermitRootLogin yes 
-
+PermitRootLogin without-password

 # Allow X forwarding.
 X11Forwarding yes