From 19098319bc7bbc20d777b8af60b46908b6aac948 Mon Sep 17 00:00:00 2001 From: Ryan Schwartz Date: Tue, 4 Aug 2015 14:08:38 -0500 Subject: [PATCH 1/6] inherit duo_unix class for params in template --- manifests/login.pp | 2 +- manifests/pam.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/login.pp b/manifests/login.pp index 2c458d9..0ba6ca0 100644 --- a/manifests/login.pp +++ b/manifests/login.pp @@ -6,7 +6,7 @@ # # Mark Stanislav # -class duo_unix::login { +class duo_unix::login inherits duo_unix { file { '/etc/duo/login_duo.conf': ensure => present, diff --git a/manifests/pam.pp b/manifests/pam.pp index e93feaa..b8a09b2 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -6,7 +6,7 @@ # # Mark Stanislav # -class duo_unix::pam { +class duo_unix::pam inherits duo_unix { $aug_pam_path = "/files${duo_unix::pam_file}" $aug_match = "${aug_pam_path}/*/module[. = '${duo_unix::pam_module}']" From 941610fa2019b7ad0b9353b049204b5069b0e6a0 Mon Sep 17 00:00:00 2001 From: Michael Porter Date: Wed, 30 Sep 2015 13:41:40 -0400 Subject: [PATCH 2/6] Make repo management optional --- README.md | 6 +++++- manifests/apt.pp | 43 ++++++++++++++++++++++--------------------- manifests/init.pp | 1 + manifests/yum.pp | 17 ++++++++++------- 4 files changed, 38 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index ace58d8..f5889bf 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,11 @@ Configures usage of the http_proxy environment variable. There is not default for this setting. ####`manage_ssh [optional]` -Configures whether or not to allow the module to manage the SSH service/package. +Configures whether or not to allow the module to manage the SSH service/package. +The default is *true*. + +####`manage_repo [optional]` +Configures whether or not to allow the module to add/manage the apt/yum repository. The default is *true*. ####`pam_unix_control [optional]` diff --git a/manifests/apt.pp b/manifests/apt.pp index a530060..38a586e 100644 --- a/manifests/apt.pp +++ b/manifests/apt.pp @@ -18,30 +18,31 @@ } package { $duo_unix::duo_package: - ensure => $package_state, - require => [ - File[$repo_file], - Exec['Duo Security GPG Import'], - Exec['duo-security-apt-update'] - ] + ensure => $package_state } - file { $repo_file: - owner => 'root', - group => 'root', - mode => '0644', - content => "deb ${repo_uri}/${::operatingsystem} ${::lsbdistcodename} main", - notify => Exec['duo-security-apt-update'] - } + if $duo_unix::manage_repo { + file { $repo_file: + owner => 'root', + group => 'root', + mode => '0644', + content => "deb ${repo_uri}/${::operatingsystem} ${::lsbdistcodename} main", + notify => Exec['duo-security-apt-update'], + before => Package[$duo_unix::duo_package] + } - exec { 'duo-security-apt-update': - command => '/usr/bin/apt-get update', - refreshonly => true - } + exec { 'duo-security-apt-update': + command => '/usr/bin/apt-get update', + refreshonly => true, + require => File[$repo_file], + before => Package[$duo_unix::duo_package] + } - exec { 'Duo Security GPG Import': - command => '/usr/bin/apt-key add /etc/apt/DEB-GPG-KEY-DUO', - unless => '/usr/bin/apt-key list | grep "Duo Security"', - notify => Exec['duo-security-apt-update'] + exec { 'Duo Security GPG Import': + command => '/usr/bin/apt-key add /etc/apt/DEB-GPG-KEY-DUO', + unless => '/usr/bin/apt-key list | grep "Duo Security"', + notify => Exec['duo-security-apt-update'], + before => Package[$duo_unix::duo_package] + } } } diff --git a/manifests/init.pp b/manifests/init.pp index 0d21b5e..918bd6b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,6 +20,7 @@ $prompts = '3', $accept_env_factor = 'no', $manage_ssh = true, + $manage_repo = true, $pam_unix_control = 'requisite', $package_version = 'installed', ) { diff --git a/manifests/yum.pp b/manifests/yum.pp index 2e53bd7..b1f4d45 100644 --- a/manifests/yum.pp +++ b/manifests/yum.pp @@ -26,12 +26,15 @@ $releasever = '$releasever' } - yumrepo { 'duosecurity': - descr => 'Duo Security Repository', - baseurl => "${repo_uri}/${os}/${releasever}/\$basearch", - gpgcheck => '1', - enabled => '1', - require => File['/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO']; + if $duo_unix::manage_repo { + yumrepo { 'duosecurity': + descr => 'Duo Security Repository', + baseurl => "${repo_uri}/${os}/${releasever}/\$basearch", + gpgcheck => '1', + enabled => '1', + require => File['/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO'], + before => Package[$duo_unix::duo_package]; + } } if $duo_unix::manage_ssh { @@ -42,7 +45,7 @@ package { $duo_unix::duo_package: ensure => $package_state, - require => [ Yumrepo['duosecurity'], Exec['Duo Security GPG Import'] ]; + require => [ Exec['Duo Security GPG Import'] ]; } exec { 'Duo Security GPG Import': From d3356771d29cb1a5e8e081c554e6ed1b9089db1f Mon Sep 17 00:00:00 2001 From: Jonathon Anderson Date: Fri, 18 Dec 2015 15:21:08 -0700 Subject: [PATCH 3/6] Add manage_pam configuration parameter We want to use duo_unix to configure and install duo itself, but we want to configure the actual pam stack manually. Setting manage_pam => false prevents the module from editing password-auth or other pam files. --- README.md | 4 ++++ manifests/init.pp | 1 + manifests/pam.pp | 49 ++++++++++++++++++++++++----------------------- 3 files changed, 30 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index dfb3eac..b952e58 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,10 @@ for this setting. Configures whether or not to allow the module to manage the SSH service/package. The default is *true*. +####`manage_pam [optinal]` +Configures whether or not to allow the module to manage the system PAM configuration. +The default is *true*. + ####`pam_unix_control [optional]` Configures the PAM control value for pam_duo. The default is *requisite*. diff --git a/manifests/init.pp b/manifests/init.pp index 0d21b5e..61104e4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,6 +20,7 @@ $prompts = '3', $accept_env_factor = 'no', $manage_ssh = true, + $manage_pam = true, $pam_unix_control = 'requisite', $package_version = 'installed', ) { diff --git a/manifests/pam.pp b/manifests/pam.pp index e93feaa..99af671 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -31,31 +31,32 @@ } } - if $::osfamily == 'RedHat' { - augeas { 'PAM Configuration': - changes => [ - "set ${aug_pam_path}/2/control ${duo_unix::pam_unix_control}", - "ins 100 after ${aug_pam_path}/2", - "set ${aug_pam_path}/100/type auth", - "set ${aug_pam_path}/100/control sufficient", - "set ${aug_pam_path}/100/module ${duo_unix::pam_module}" - ], - require => Package[$duo_unix::duo_package], - onlyif => "match ${aug_match} size == 0"; - } + if $duo_unix::manage_pam { + if $::osfamily == 'RedHat' { + augeas { 'PAM Configuration': + changes => [ + "set ${aug_pam_path}/2/control ${duo_unix::pam_unix_control}", + "ins 100 after ${aug_pam_path}/2", + "set ${aug_pam_path}/100/type auth", + "set ${aug_pam_path}/100/control sufficient", + "set ${aug_pam_path}/100/module ${duo_unix::pam_module}" + ], + require => Package[$duo_unix::duo_package], + onlyif => "match ${aug_match} size == 0"; + } - } else { - augeas { 'PAM Configuration': - changes => [ - "set ${aug_pam_path}/1/control ${duo_unix::pam_unix_control}", - "ins 100 after ${aug_pam_path}/1", - "set ${aug_pam_path}/100/type auth", - "set ${aug_pam_path}/100/control '[success=1 default=ignore]'", - "set ${aug_pam_path}/100/module ${duo_unix::pam_module}" - ], - require => Package[$duo_unix::duo_package], - onlyif => "match ${aug_match} size == 0"; + } else { + augeas { 'PAM Configuration': + changes => [ + "set ${aug_pam_path}/1/control ${duo_unix::pam_unix_control}", + "ins 100 after ${aug_pam_path}/1", + "set ${aug_pam_path}/100/type auth", + "set ${aug_pam_path}/100/control '[success=1 default=ignore]'", + "set ${aug_pam_path}/100/module ${duo_unix::pam_module}" + ], + require => Package[$duo_unix::duo_package], + onlyif => "match ${aug_match} size == 0"; + } } } - } From 889e2f6e222a6b4728c75f973fc23eb9b94b2c2d Mon Sep 17 00:00:00 2001 From: Matt Schwager Date: Tue, 23 Feb 2016 16:12:16 -0500 Subject: [PATCH 4/6] Bumping to version 0.3.3 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 1498a3b..b6d673a 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "duosecurity-duo_unix", - "version": "0.3.2", + "version": "0.3.3", "author": "Duo Security", "summary": "Installs, configures, and manages Duo Unix.", "license": "GPL-2.0", From 77b1a5d97650563b1f20ea5399b1b749cd0b75a7 Mon Sep 17 00:00:00 2001 From: Michael Hess Date: Tue, 13 Sep 2016 13:04:54 -0400 Subject: [PATCH 5/6] Update duo.conf.erb Per https://duo.com/docs/duounix this is groups not group --- templates/duo.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/duo.conf.erb b/templates/duo.conf.erb index 68c0503..63df6a1 100644 --- a/templates/duo.conf.erb +++ b/templates/duo.conf.erb @@ -33,7 +33,7 @@ motd=<%= @motd %> <% if @group != '' -%> ; Group restriction -group=<%= @group %> +groups=<%= @group %> <% end -%> <% if @http_proxy != '' -%> From ec8a9770c387c304a35b3ae08e677a8c2c5e7040 Mon Sep 17 00:00:00 2001 From: Michael Porter Date: Wed, 30 Sep 2015 13:41:40 -0400 Subject: [PATCH 6/6] Make repo management optional --- README.md | 6 +++++- manifests/apt.pp | 43 ++++++++++++++++++++++--------------------- manifests/init.pp | 1 + manifests/yum.pp | 17 ++++++++++------- 4 files changed, 38 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index b952e58..45f0216 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,11 @@ Configures usage of the http_proxy environment variable. There is not default for this setting. ####`manage_ssh [optional]` -Configures whether or not to allow the module to manage the SSH service/package. +Configures whether or not to allow the module to manage the SSH service/package. +The default is *true*. + +####`manage_repo [optional]` +Configures whether or not to allow the module to add/manage the apt/yum repository. The default is *true*. ####`manage_pam [optinal]` diff --git a/manifests/apt.pp b/manifests/apt.pp index a530060..38a586e 100644 --- a/manifests/apt.pp +++ b/manifests/apt.pp @@ -18,30 +18,31 @@ } package { $duo_unix::duo_package: - ensure => $package_state, - require => [ - File[$repo_file], - Exec['Duo Security GPG Import'], - Exec['duo-security-apt-update'] - ] + ensure => $package_state } - file { $repo_file: - owner => 'root', - group => 'root', - mode => '0644', - content => "deb ${repo_uri}/${::operatingsystem} ${::lsbdistcodename} main", - notify => Exec['duo-security-apt-update'] - } + if $duo_unix::manage_repo { + file { $repo_file: + owner => 'root', + group => 'root', + mode => '0644', + content => "deb ${repo_uri}/${::operatingsystem} ${::lsbdistcodename} main", + notify => Exec['duo-security-apt-update'], + before => Package[$duo_unix::duo_package] + } - exec { 'duo-security-apt-update': - command => '/usr/bin/apt-get update', - refreshonly => true - } + exec { 'duo-security-apt-update': + command => '/usr/bin/apt-get update', + refreshonly => true, + require => File[$repo_file], + before => Package[$duo_unix::duo_package] + } - exec { 'Duo Security GPG Import': - command => '/usr/bin/apt-key add /etc/apt/DEB-GPG-KEY-DUO', - unless => '/usr/bin/apt-key list | grep "Duo Security"', - notify => Exec['duo-security-apt-update'] + exec { 'Duo Security GPG Import': + command => '/usr/bin/apt-key add /etc/apt/DEB-GPG-KEY-DUO', + unless => '/usr/bin/apt-key list | grep "Duo Security"', + notify => Exec['duo-security-apt-update'], + before => Package[$duo_unix::duo_package] + } } } diff --git a/manifests/init.pp b/manifests/init.pp index 61104e4..8076284 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,7 @@ $accept_env_factor = 'no', $manage_ssh = true, $manage_pam = true, + $manage_repo = true, $pam_unix_control = 'requisite', $package_version = 'installed', ) { diff --git a/manifests/yum.pp b/manifests/yum.pp index c1c3738..8f13df1 100644 --- a/manifests/yum.pp +++ b/manifests/yum.pp @@ -30,12 +30,15 @@ $releasever = '$releasever' } - yumrepo { 'duosecurity': - descr => 'Duo Security Repository', - baseurl => "${repo_uri}/${os}/${releasever}/\$basearch", - gpgcheck => '1', - enabled => '1', - require => File['/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO']; + if $duo_unix::manage_repo { + yumrepo { 'duosecurity': + descr => 'Duo Security Repository', + baseurl => "${repo_uri}/${os}/${releasever}/\$basearch", + gpgcheck => '1', + enabled => '1', + require => File['/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO'], + before => Package[$duo_unix::duo_package]; + } } if $duo_unix::manage_ssh { @@ -46,7 +49,7 @@ package { $duo_unix::duo_package: ensure => $package_state, - require => [ Yumrepo['duosecurity'], Exec['Duo Security GPG Import'] ]; + require => [ Exec['Duo Security GPG Import'] ]; } exec { 'Duo Security GPG Import':