It is more flexible for the ForceCommand line to be inside a "match" block, whether group or user. Using this match block would apply to all users:
Match Group * ForceCommand /usr/sbin/login_duo PermitTunnel no
Using this method, you can specify which groups or users should not be forced to go through Duo 2FA (following a ! character). We tried to use the "groups" option in the login_duo.conf file but it fails for special users with a chroot directory. This is because the groups restriction in login_duo happens after sshd runs the force_command.
I recently discovered that setting the "manage_ssh" parameter to False effectively addresses my problem and does not enforce the contents of the ssh_config.pp file.
It is more flexible for the ForceCommand line to be inside a "match" block, whether group or user. Using this match block would apply to all users:
Match Group * ForceCommand /usr/sbin/login_duo PermitTunnel no
Using this method, you can specify which groups or users should not be forced to go through Duo 2FA (following a ! character). We tried to use the "groups" option in the login_duo.conf file but it fails for special users with a chroot directory. This is because the groups restriction in login_duo happens after sshd runs the force_command.
Can line 15 be removed from the ssh_config.pp? https://github.com/indiana-university/puppet-duo_unix/blob/a8dbd4ff9ba4ea84f432942a79e2821c113a0b63/manifests/ssh_config.pp#L15