search

indiana-university / puppet-duo_unix

The duo_unix module handles the deployment of duo_unix (login_duo or pam_duo) across a range of Linux distributions.
BSD 3-Clause "New" or "Revised" License
2 stars 14 forks source link

Setting ForceCommand in the global settings of sshd_config file does not consider chroot users #27

Closed oletos7j closed 2 years ago

oletos7j commented 2 years ago

It is more flexible for the ForceCommand line to be inside a "match" block, whether group or user. Using this match block would apply to all users:

Match Group * ForceCommand /usr/sbin/login_duo PermitTunnel no

Using this method, you can specify which groups or users should not be forced to go through Duo 2FA (following a ! character). We tried to use the "groups" option in the login_duo.conf file but it fails for special users with a chroot directory. This is because the groups restriction in login_duo happens after sshd runs the force_command.

Can line 15 be removed from the ssh_config.pp? https://github.com/indiana-university/puppet-duo_unix/blob/a8dbd4ff9ba4ea84f432942a79e2821c113a0b63/manifests/ssh_config.pp#L15

oletos7j commented 2 years ago

I recently discovered that setting the "manage_ssh" parameter to False effectively addresses my problem and does not enforce the contents of the ssh_config.pp file.