From f77b1b6bc7049fa42f674a11073632a8ee7f1ba9 Mon Sep 17 00:00:00 2001 From: denise stockman Date: Tue, 28 Apr 2015 21:29:07 -0700 Subject: [PATCH 01/11] Add support for AWS Linux 2015.03 --- manifests/yum.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/yum.pp b/manifests/yum.pp index 2e53bd7..b044601 100644 --- a/manifests/yum.pp +++ b/manifests/yum.pp @@ -15,6 +15,7 @@ if $::operatingsystem == 'Amazon' { $releasever = $::operatingsystemmajrelease ? { '2014' => '6Server', + '2015' => '6Server', default => undef, } $os = $::operatingsystem From 62bb70b12f16f4636ab1ebe0d9fc26f7f64086c1 Mon Sep 17 00:00:00 2001 From: denise stockman Date: Wed, 29 Apr 2015 10:42:28 -0700 Subject: [PATCH 02/11] bump version in conditional for 2015.03 --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 0d21b5e..37a0b48 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -38,8 +38,8 @@ $gpg_file = '/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO' $pam_file = $::operatingsystemrelease ? { - /^5/ => '/etc/pam.d/system-auth', - /^(6|7|2014)/ => '/etc/pam.d/password-auth' + /^5/ => '/etc/pam.d/system-auth', + /^(6|7|2014|2015.03)/ => '/etc/pam.d/password-auth' } $pam_module = $::architecture ? { From 8bb8b7bf8aaa494769b7de96a15ad47d00a9a197 Mon Sep 17 00:00:00 2001 From: denise stockman Date: Wed, 29 Apr 2015 10:51:19 -0700 Subject: [PATCH 03/11] Force AWS Linux to map always to RHEL --- manifests/yum.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/yum.pp b/manifests/yum.pp index b044601..6af3da5 100644 --- a/manifests/yum.pp +++ b/manifests/yum.pp @@ -18,7 +18,7 @@ '2015' => '6Server', default => undef, } - $os = $::operatingsystem + $os = 'RedHat' } elsif ( $::operatingsystem == 'RedHat' and $::operatingsystemmajrelease == 5 ) { $os = 'CentOS' $releasever = '$releasever' From 241d81789de0b73d86a69d22184ed2512e8f5648 Mon Sep 17 00:00:00 2001 From: denise stockman Date: Wed, 29 Apr 2015 10:55:44 -0700 Subject: [PATCH 04/11] Bump module version --- Modulefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modulefile b/Modulefile index 53c07c4..199c8ff 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'duosecurity-duo_unix' -version '0.3.1' +version '0.3.2' source 'git://github.com/duosecurity/puppet-duo_unix' author 'Duo Security' license 'GPLv2' From d53eac4aafc0f8e17a28638c7e20cfd3421fe996 Mon Sep 17 00:00:00 2001 From: Alex Yamauchi Date: Wed, 13 May 2015 15:12:32 -0700 Subject: [PATCH 05/11] The pam_unix_control setting is hard-coded to 'sufficient'. When all auth modules in the stack are configured to 'sufficient', the authentication is 'at least one', not two-factor. --- manifests/pam.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/pam.pp b/manifests/pam.pp index e93feaa..6f07e66 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -37,7 +37,7 @@ "set ${aug_pam_path}/2/control ${duo_unix::pam_unix_control}", "ins 100 after ${aug_pam_path}/2", "set ${aug_pam_path}/100/type auth", - "set ${aug_pam_path}/100/control sufficient", + "set ${aug_pam_path}/100/control ${duo_unix::pam_unix_control}", "set ${aug_pam_path}/100/module ${duo_unix::pam_module}" ], require => Package[$duo_unix::duo_package], From fecaba6488d95f238f7a4ca03f7b446af6dade1f Mon Sep 17 00:00:00 2001 From: Alex Yamauchi Date: Fri, 10 Jul 2015 12:36:26 -0700 Subject: [PATCH 06/11] INFRA-334: this should work to allow duo to work with other auths other than local system auth. --- manifests/init.pp | 2 +- manifests/pam.pp | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 37a0b48..497b0bb 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,7 +20,7 @@ $prompts = '3', $accept_env_factor = 'no', $manage_ssh = true, - $pam_unix_control = 'requisite', + $pam_primary_module = 'pam_unix.so', $package_version = 'installed', ) { if $ikey == '' or $skey == '' or $host == '' { diff --git a/manifests/pam.pp b/manifests/pam.pp index 6f07e66..29149f6 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -34,10 +34,10 @@ if $::osfamily == 'RedHat' { augeas { 'PAM Configuration': changes => [ - "set ${aug_pam_path}/2/control ${duo_unix::pam_unix_control}", - "ins 100 after ${aug_pam_path}/2", + "set ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module}']/control requisite", + "ins 100 after ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module']", "set ${aug_pam_path}/100/type auth", - "set ${aug_pam_path}/100/control ${duo_unix::pam_unix_control}", + "set ${aug_pam_path}/100/control sufficient", "set ${aug_pam_path}/100/module ${duo_unix::pam_module}" ], require => Package[$duo_unix::duo_package], From 538a563a016dfa65c858047c938f843c9eaba562 Mon Sep 17 00:00:00 2001 From: Alex Yamauchi Date: Fri, 10 Jul 2015 13:03:31 -0700 Subject: [PATCH 07/11] INFRA-334: stupid typo. Missed a brace. --- manifests/pam.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/pam.pp b/manifests/pam.pp index 29149f6..7453eba 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -35,7 +35,7 @@ augeas { 'PAM Configuration': changes => [ "set ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module}']/control requisite", - "ins 100 after ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module']", + "ins 100 after ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module}']", "set ${aug_pam_path}/100/type auth", "set ${aug_pam_path}/100/control sufficient", "set ${aug_pam_path}/100/module ${duo_unix::pam_module}" From f5fbb050b07357d0df29f4cd9b19fbde4e4a8563 Mon Sep 17 00:00:00 2001 From: Alex Yamauchi Date: Mon, 13 Jul 2015 09:35:54 -0700 Subject: [PATCH 08/11] Realized that I accidently dropped the $pam_unix_control needed for back-compatibility. Also added the "last()" function to the augeas search to facilitate configurations where the system auth module may appear twice in the stack (ie. system accounts do not use two factor, but actual user accounts do). --- manifests/init.pp | 1 + manifests/pam.pp | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 497b0bb..176ecce 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,6 +20,7 @@ $prompts = '3', $accept_env_factor = 'no', $manage_ssh = true, + $pam_unix_control = 'requisite', $pam_primary_module = 'pam_unix.so', $package_version = 'installed', ) { diff --git a/manifests/pam.pp b/manifests/pam.pp index 7453eba..8f35b68 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -34,7 +34,7 @@ if $::osfamily == 'RedHat' { augeas { 'PAM Configuration': changes => [ - "set ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module}']/control requisite", + "set ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module}'][last()]/control ${duo_unix::pam_unix_control}", "ins 100 after ${aug_pam_path}/*[type = 'auth'][module = '${duo_unix::pam_primary_module}']", "set ${aug_pam_path}/100/type auth", "set ${aug_pam_path}/100/control sufficient", From 9aab35c5d539a9a85ac2bad0b7d26c1ccd58ed73 Mon Sep 17 00:00:00 2001 From: denise stockman Date: Wed, 17 Feb 2016 11:24:27 -0800 Subject: [PATCH 09/11] INFRA-1285: update OS matching --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 176ecce..9f6c906 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -40,7 +40,7 @@ $pam_file = $::operatingsystemrelease ? { /^5/ => '/etc/pam.d/system-auth', - /^(6|7|2014|2015.03)/ => '/etc/pam.d/password-auth' + /^(6|7|2014|2015)/ => '/etc/pam.d/password-auth' } $pam_module = $::architecture ? { From 68e21111234b30304c9939a38223ad6ac063c198 Mon Sep 17 00:00:00 2001 From: denise stockman Date: Mon, 10 Oct 2016 13:04:58 -0700 Subject: [PATCH 10/11] INFRA-1532 add support for 2016 aws linux --- manifests/init.pp | 4 ++-- manifests/yum.pp | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 9f6c906..f829491 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,8 +39,8 @@ $gpg_file = '/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO' $pam_file = $::operatingsystemrelease ? { - /^5/ => '/etc/pam.d/system-auth', - /^(6|7|2014|2015)/ => '/etc/pam.d/password-auth' + /^5/ => '/etc/pam.d/system-auth', + /^(6|7|2014|2015|2016)/ => '/etc/pam.d/password-auth' } $pam_module = $::architecture ? { diff --git a/manifests/yum.pp b/manifests/yum.pp index 6af3da5..727a7eb 100644 --- a/manifests/yum.pp +++ b/manifests/yum.pp @@ -16,6 +16,7 @@ $releasever = $::operatingsystemmajrelease ? { '2014' => '6Server', '2015' => '6Server', + '2016' => '6Server', default => undef, } $os = 'RedHat' From fa84f44eec24051cdf04cbf67ce19b3983d9bc4c Mon Sep 17 00:00:00 2001 From: Tom Williams Date: Tue, 24 Apr 2018 16:48:54 -0400 Subject: [PATCH 11/11] INFRA-6222 - Duo needs to support 2017.xx --- manifests/generic.pp | 1 - manifests/init.pp | 43 ++++++++----------------------------------- manifests/login.pp | 1 - manifests/pam.pp | 1 - manifests/yum.pp | 28 +++++----------------------- 5 files changed, 13 insertions(+), 61 deletions(-) diff --git a/manifests/generic.pp b/manifests/generic.pp index 73072a6..162ca6e 100644 --- a/manifests/generic.pp +++ b/manifests/generic.pp @@ -29,5 +29,4 @@ enable => true; } } - } diff --git a/manifests/init.pp b/manifests/init.pp index f829491..e687f0b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,46 +27,17 @@ if $ikey == '' or $skey == '' or $host == '' { fail('ikey, skey, and host must all be defined.') } - - if $usage != 'login' and $usage != 'pam' { - fail('You must configure a usage of duo_unix, either login or pam.') - } - - case $::osfamily { - 'RedHat': { + case $::operatingsystem { + 'Amazon': { $duo_package = 'duo_unix' $ssh_service = 'sshd' - $gpg_file = '/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO' - - $pam_file = $::operatingsystemrelease ? { - /^5/ => '/etc/pam.d/system-auth', - /^(6|7|2014|2015|2016)/ => '/etc/pam.d/password-auth' - } - - $pam_module = $::architecture ? { - i386 => '/lib/security/pam_duo.so', - i686 => '/lib/security/pam_duo.so', - x86_64 => '/lib64/security/pam_duo.so' - } + $gpg_file = '/etc/pki/rpm-gpg/RPM-GPG-KEY-DUO' + $pam_file = '/etc/pam.d/password-auth' + $pam_module = '/lib64/security/pam_duo.so' include duo_unix::yum include duo_unix::generic } - 'Debian': { - $duo_package = 'duo-unix' - $ssh_service = 'ssh' - $gpg_file = '/etc/apt/DEB-GPG-KEY-DUO' - $pam_file = '/etc/pam.d/common-auth' - - $pam_module = $::architecture ? { - i386 => '/lib/security/pam_duo.so', - i686 => '/lib/security/pam_duo.so', - amd64 => '/lib64/security/pam_duo.so' - } - - include duo_unix::apt - include duo_unix::generic - } default: { fail("Module ${module_name} does not support ${::operatingsystem}") } @@ -74,7 +45,9 @@ if $usage == 'login' { include duo_unix::login - } else { + } elsif $usage == 'pam' { include duo_unix::pam + } else { + fail('You must configure a usage of duo_unix, either login or pam.') } } diff --git a/manifests/login.pp b/manifests/login.pp index 2c458d9..6047274 100644 --- a/manifests/login.pp +++ b/manifests/login.pp @@ -28,5 +28,4 @@ notify => Service[$duo_unix::ssh_service]; } } - } diff --git a/manifests/pam.pp b/manifests/pam.pp index 8f35b68..d574d33 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -57,5 +57,4 @@ onlyif => "match ${aug_match} size == 0"; } } - } diff --git a/manifests/yum.pp b/manifests/yum.pp index 727a7eb..b65481c 100644 --- a/manifests/yum.pp +++ b/manifests/yum.pp @@ -8,25 +8,9 @@ # class duo_unix::yum { $repo_uri = 'http://pkg.duosecurity.com' - $package_state = $::duo_unix::package_version - - # Map Amazon Linux to RedHat equivalent releases - # Map RedHat 5 to CentOS 5 equivalent releases - if $::operatingsystem == 'Amazon' { - $releasever = $::operatingsystemmajrelease ? { - '2014' => '6Server', - '2015' => '6Server', - '2016' => '6Server', - default => undef, - } - $os = 'RedHat' - } elsif ( $::operatingsystem == 'RedHat' and $::operatingsystemmajrelease == 5 ) { - $os = 'CentOS' - $releasever = '$releasever' - } else { - $os = $::operatingsystem - $releasever = '$releasever' - } + $version = $::duo_unix::package_version + $releasever = '6Server' + $os = 'RedHat' yumrepo { 'duosecurity': descr => 'Duo Security Repository', @@ -42,8 +26,8 @@ } } - package { $duo_unix::duo_package: - ensure => $package_state, + package { $duo_unix::duo_package: + ensure => $version, require => [ Yumrepo['duosecurity'], Exec['Duo Security GPG Import'] ]; } @@ -51,6 +35,4 @@ command => '/bin/rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-DUO', unless => '/bin/rpm -qi gpg-pubkey | grep Duo > /dev/null 2>&1' } - } -