Closed mboisson closed 5 months ago
Hi, sorry for the delay. Have a couple comments/questions.
1) I'm blocked from merging since our repository requires signed commits.
2) The pam_ssh_user_auth package appears to be RedHat only, and will fail any other distro since it was added to init.pp. Also, putting it there will install it even if the user isn't going to use it.
3) Just double-checking as I've not encountered this syntax yet: $keyonly ? { true => 'set AuthenticationMethods "publickey,keyboard-interactive:pam"', false => 'set AuthenticationMethods "publickey,keyboard-interactive:pam keyboard-interactive:pam,keyboard-interactive:pam"' }
Shorthand if/else? If keyonly, restrict auth to publickey then keyboard. If not, auth can be publickey then keyboard, or keyboard then keyboard again?
Thanks!
Hi, sorry for the delay. Have a couple comments/questions.
- I'm blocked from merging since our repository requires signed commits.
Ok, I can look at signing the commits later this week.
- The pam_ssh_user_auth package appears to be RedHat only, and will fail any other distro since it was added to init.pp. Also, putting it there will install it even if the user isn't going to use it.
Indeed, I do not have access to test on other distros. I am open to suggestions on how to best handle this.
- Just double-checking as I've not encountered this syntax yet: $keyonly ? { true => 'set AuthenticationMethods "publickey,keyboard-interactive:pam"', false => 'set AuthenticationMethods "publickey,keyboard-interactive:pam keyboard-interactive:pam,keyboard-interactive:pam"' }
Shorthand if/else? If keyonly, restrict auth to publickey then keyboard. If not, auth can be publickey then keyboard, or keyboard then keyboard again?
Correct, that is a short-hand if/else. And correct, if keyonly is true, then the two factors are key + keyboard (Duo), otherwise it can be either key + Duo or password + Duo (both of which are keyboard-interactive in this later case).
Thanks!
I signed the commits yesterday. I am still thinking on how to handle the ubuntu vs redhat situation.
Hi @markaddonizio, I had a deeper look at how to implement this for Ubuntu. It seems that CERN's PAM module has only been bundled into RHEL, and would need to be compiled manually for Debian base distributions: https://cern-cert.github.io/pam_2fa/ https://github.com/CERN-CERT/pam_2fa/blob/master/pam_ssh_user_auth.c
Therefore, I suggest to only support this on RedHat. I propose to wrap the various bits of this configuration into if/else or cases based on $facts['os']['family']
like what is done in params.pp
.
That being said, I think that setting usage::pam
is currently broken https://github.com/indiana-university/puppet-duo_unix/issues/37 with the puppet module. I need to that for this configuration to work, but it will also change the behavior on Ubuntu/Debian. Presumably, it will fix the behavior to what it should be, but I cannot test that. Should I fix the broken behavior only for RedHat too ?
I think we're safe to fix the usage::pam for both redhat and ubuntu/debian. You're right, that was a bug on our end, and we never noticed since at least our setup is all ubuntu w/ duo_login (and nobody else reported it as an issue).
Thank you!
Ok, I made the changes to apply only to RedHat and not Debian based distributions. I confirmed it to work on our RHEL-base node.
Do you know if this can be merged now, or if it needs more changes ? if it can be, do you have some ETA ?
What are the steps missing to merge this ?
Hi, sorry about the delay, we keep running into issues trying to run the acceptance tests.
Currently, pdk validate has a few minor formatting complaints. The bigger issue is the unit tests (pdk test unit) are failing.
The main issues seem to be: -pam_config.pp now tries to notify the sshd service, but the service isn't ever added to the catalog. -similar issue in pam_sshd_config.pp, trying to require the RedHat exclusive pam_ssh_user_auth_package, but it's not in the catalog.
I think these are more problems with how puppet runs unit tests rather than the code itself as we expect anyone using this to go through init.pp which would add the relevant packages/services. I can 'solve' these by adding an if (!defined(Package/Service[??]) block.
The last (?) 'big' issue is now that we're adding ExposeAuth yes and the various AuthenticationMethods... on the RedHat family, and the tests are complaining about the additions when it's not expecting them (and not looking for them when it should be... and the keyonly true/false differences).
I have fixes for all of these. I'll get it signed and issue a pull request on your branch, then I think we should be able to get it merged here.
I just noticed from a fresh build that there is a missing dependency. Installing pam_ssh_user_auth
requires the epel yum repository (it works in our environment, but on the second puppet run):
Apr 03 15:33:10 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Duo_unix::Repo/Yumrepo[duosecurity]/ensure) created
Apr 03 15:33:30 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Duo_unix/Package[duo_unix]/ensure) created
Apr 03 15:33:31 login1.int.archimedes.c3.ca puppet-agent[1016]: Execution of '/usr/bin/dnf -d 0 -e 1 -y install pam_ssh_user_auth' returned 1: Error: Unable to find a match: pam_ssh_user_auth
Apr 03 15:33:31 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Duo_unix/Package[pam_ssh_user_auth]/ensure) change from 'purged' to 'present' failed: Execution of '/usr/bin/dnf -d 0 -e 1 -y install pam_ssh_user_auth' returned 1: Error: Unable to find a match: pam_ssh_user_auth
Apr 03 15:33:31 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Duo_unix::Pam_ssh_config/Augeas[Duo Security SSH Configuration]) Dependency Package[pam_ssh_user_auth] has failures: true
Apr 03 15:33:31 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Duo_unix::Pam_ssh_config/Augeas[Duo Security SSH Configuration]) Skipping because of failed dependencies
Apr 03 15:33:33 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Duo_unix::Pam_config/Augeas[Duo Security PAM Configuration]/returns) executed successfully
Apr 03 15:33:33 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Duo_unix/File[/etc/duo/pam_duo.conf]/content) content changed '{sha256}9e86bf796cce49d0f8ee5dc6630f23282f07945659f58986b973a95f47be4a93' to '{sha256}dac57de8a59bb3a29483533533b99b5ac0428345c98da24129c1e09ea090fa64'
Apr 03 15:33:33 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Epel/Epel::Rpm_gpg_key[EPEL-8]/Exec[import-EPEL-8]/returns) executed successfully
Apr 03 15:33:33 login1.int.archimedes.c3.ca puppet-agent[1016]: (/Stage[main]/Epel/Yumrepo[epel]/ensure) created
This can be fixed either within the Duo_Unix puppet repository itself, or rely on some local documentation. Any preference ?
I can add a
require => Yumrepo['epel']
to the pam_ssh_user_auth
package
Yup, we're good with the 'require' fix. Thanks!
Yup, we're good with the 'require' fix. Thanks!
done
This is my attempt at fixing #35 I unfortunately do not have a way to test for Debian, but this works on RHEL8.