Supporting MFA with Duo

ComputeCanada / puppet-magic_castle

Puppet Environment repo for Magic Castle - https://github.com/ComputeCanada/magic_castle

MIT License

13 stars 21 forks source link

Supporting MFA with Duo #307

Open mboisson opened 10 months ago

mboisson commented 10 months ago

Again, for an internal project, we require using Duo.

cmd-ntrf commented 10 months ago

This should already be possible. The documentation to that affect might be a bit lacking.

To enable Duo, you have to install the Indiana University Puppet module for Duo using the puppetfile variable in the main.tf : https://github.com/ComputeCanada/magic_castle/tree/main/docs#419-puppetfile-optional

puppetfile = "mod 'iu-duo_unix', '4.0.1'"

Then in your hieradata file, you can define the duo config:

duo_unix::usage: 'login'
duo_unix::ikey: 'your integration key'
duo_unix::skey: 'your secret key'
duo_unix::host: 'api-yourhost.duosecurity.com'
duo_unix::motd: 'yes'

In your hieradata YAML file, you should define a new tag that will identify which instance require MFA:

magic_castle::site::tags:
  mfa:
    - duo_unix

Then finally, add that tag to your login instance for example:

login    = { type = "p2-4gb",     count = 1, tags = ["login", "public", "mfa"] },

mboisson commented 10 months ago

Thanks. I will test and eventually open a PR for documentation.

mboisson commented 10 months ago

I added mod 'iu-duo_unix', '4.0.1' to /etc/puppetlabs/code/environments/production/Puppetfile since it has no post-build effect, but I still get

 puppet-agent[22401]: Starting Puppet client version 7.27.0
puppet-agent[22403]: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Could not find class ::duo_unix for login1 (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 20, column: 3) on node login1
 puppet-agent[22403]: Applied catalog in 4.00 seconds

Anything else needs to be done ?

mboisson commented 10 months ago

Ok, I had to manually install it with puppet module install iu-duo_unix --ignore-dependencies

mboisson commented 10 months ago

For the list of all the undocumented parameters of the duo_unix module: https://github.com/indiana-university/puppet-duo_unix/blob/master/manifests/init.pp#L118

(in particular, I needed to use the groups parameter)

mboisson commented 10 months ago

After some testing, this does not work... the usage: 'pam' does not work and 'login' is problematic. We will need to configure /etc/pam.d/sshd and sshd_config better

cmd-ntrf commented 10 months ago

We were missing three things:

pam_ssh_user_auth package
auth pam_ssh_user_auth.so and auth /lib64/security/pam_duo.so in /etc/pam.d/sshd
AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam keyboard-interactive:pam,keyboard-interactive:pam in /etc/ssh/sshd_config.

This CERN page on pam_ssh_user_auth put me on the right track: https://cern-cert.github.io/pam_2fa/

mboisson commented 10 months ago

Issue in iu-duo_unix https://github.com/indiana-university/puppet-duo_unix/issues/35

mboisson commented 9 months ago

Deploying MFA also requires some adjustment for account CentOS in sshd_config or (/etc/ssh/sshd_config.d + adding Include /etc/ssh/sshd_config.d/*.conf to sshd_config), otherwise it breaks Terraform's own SSH connections: https://github.com/hashicorp/terraform/issues/16032#issuecomment-420435993