[MediaWiki-commits] [Gerrit] Enable two-factor authentication in sshd - change (operations/puppet)

Muehlenhoff (Code Review) Thu, 07 Apr 2016 06:43:57 -0700

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/282160


Change subject: Enable two-factor authentication in sshd
......................................................................

Enable two-factor authentication in sshd

At the moment validation only occurs against auth1001, this will be extended 
once OTP counter
replication between auth1001 and auth2001 has been setup.

/etc/yubikeys contains the allowed key (not yet puppepised).

Change-Id: I3426ad3b333e235e59442f1ceb6bd8e17d75ade2
---
M modules/role/manifests/bastionhost/2fa.pp
M modules/role/templates/bastionhost/pam-sshd.erb
2 files changed, 4 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/60/282160/1

diff --git a/modules/role/manifests/bastionhost/2fa.pp 
b/modules/role/manifests/bastionhost/2fa.pp
index 6bd7772..2efd7e6 100644
--- a/modules/role/manifests/bastionhost/2fa.pp
+++ b/modules/role/manifests/bastionhost/2fa.pp
@@ -7,6 +7,7 @@
     include standard
     include base::firewall
     include role::backup::host
+    include passwords::yubiauth
 
     backup::set {'home': }
 
@@ -19,6 +20,8 @@
         port  => 'ssh',
     }
 
+    api_key = $passwords::yubiauth::api_key
+
     file { '/etc/pam.d/sshd':
         ensure  => present,
         owner   => 'root',
diff --git a/modules/role/templates/bastionhost/pam-sshd.erb 
b/modules/role/templates/bastionhost/pam-sshd.erb
index 7405736..7b9b118 100644
--- a/modules/role/templates/bastionhost/pam-sshd.erb
+++ b/modules/role/templates/bastionhost/pam-sshd.erb
@@ -2,6 +2,7 @@
 # PAM configuration for the Secure Shell service
 
 # Standard Un*x authentication.
+auth    sufficient      pam_yubico.so mode=client id=1 key=<%= @api_key %> 
debug authfile=/etc/yubikeys 
urllist=http://auth1001.eqiad.wmnet/wsapi/2.0/verify
 @include common-auth
 
 # Disallow non-root logins when /etc/nologin exists.

-- 
To view, visit https://gerrit.wikimedia.org/r/282160
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3426ad3b333e235e59442f1ceb6bd8e17d75ade2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Enable two-factor authentication in sshd - change (operations/puppet)

Reply via email to