Multi-Factor Authentication (MFA) for sshd+PAM https://duo.com/product/multi-factor-authentication-mfa Related-Prod: PROD-24422 Change-Id: Iddec5a5e99e7db5d7f173ad939d3fd0cac1cd22bpull/171/head
- source: tests/example | - source: tests/example | ||||
dest: srv/salt/linux/files/test | dest: srv/salt/linux/files/test | ||||
- name: duo | |||||
provisioner: | |||||
pillars-from-files: | |||||
linux.sls: tests/pillar/system_duo.sls | |||||
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125 | # vim: ft=yaml sw=2 ts=2 sts=2 tw=125 |
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=system | - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=system | ||||
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=network | - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=network | ||||
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=system | - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=system | ||||
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=duo | |||||
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=network | # - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=network | ||||
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=system | # - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=system | ||||
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2018.3 SUITE=network | # - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2018.3 SUITE=network |
shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) | shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*)) | ||||
group: (&(objectClass=group)(gidNumber=*)) | group: (&(objectClass=group)(gidNumber=*)) | ||||
PAM duo 2FA integration | |||||
.. code-block:: yaml | |||||
parameters: | |||||
linux: | |||||
system: | |||||
auth: | |||||
enabled: true | |||||
duo: | |||||
enabled: true | |||||
duo_host: localhost | |||||
duo_ikey: DUO-INTEGRATION-KEY | |||||
duo_skey: DUO-SECRET-KEY | |||||
duo package version may be specified (optional) | |||||
.. code-block:: yaml | |||||
linux: | |||||
system: | |||||
package: | |||||
duo-unix: | |||||
version: 1.10.1-0 | |||||
Disabled multipath (the default setup): | Disabled multipath (the default setup): | ||||
.. code-block:: yaml | .. code-block:: yaml |
{%- from "linux/map.jinja" import auth with context %} | |||||
[duo] | |||||
ikey = {{ auth.duo.duo_ikey }} | |||||
skey = {{ auth.duo.duo_skey }} | |||||
host = {{ auth.duo.duo_host }} | |||||
pushinfo = yes | |||||
failmode = secure | |||||
{%- from "linux/map.jinja" import auth with context %} | |||||
# PAM configuration for the Secure Shell service | |||||
{%- if auth.duo.enabled %} | |||||
auth required /lib64/security/pam_duo.so | |||||
account required pam_nologin.so | |||||
# Standard Un*x authentication. | |||||
#@include common-auth | |||||
{%- else %} | |||||
# Standard Un*x authentication. | |||||
@include common-auth | |||||
{%- endif %} | |||||
# Disallow non-root logins when /etc/nologin exists. | |||||
account required pam_nologin.so | |||||
# Uncomment and edit /etc/security/access.conf if you need to set complex | |||||
# access limits that are hard to express in sshd_config. | |||||
# account required pam_access.so | |||||
# Standard Un*x authorization. | |||||
@include common-account | |||||
# SELinux needs to be the first session rule. This ensures that any | |||||
# lingering context has been cleared. Without this it is possible that a | |||||
# module could execute code in the wrong domain. | |||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | |||||
# Set the loginuid process attribute. | |||||
session required pam_loginuid.so | |||||
# Create a new session keyring. | |||||
session optional pam_keyinit.so force revoke | |||||
# Standard Un*x session setup and teardown. | |||||
@include common-session | |||||
# Print the message of the day upon successful login. | |||||
# This includes a dynamically generated part from /run/motd.dynamic | |||||
# and a static (admin-editable) part from /etc/motd. | |||||
session optional pam_motd.so motd=/run/motd.dynamic | |||||
session optional pam_motd.so noupdate | |||||
# Print the status of the user's mailbox upon successful login. | |||||
session optional pam_mail.so standard noenv # [1] | |||||
# Set up user limits from /etc/security/limits.conf. | |||||
session required pam_limits.so | |||||
# Read environment variables from /etc/environment and | |||||
# /etc/security/pam_env.conf. | |||||
session required pam_env.so # [1] | |||||
# In Debian 4.0 (etch), locale-related environment variables were moved to | |||||
# /etc/default/locale, so read that as well. | |||||
session required pam_env.so user_readenv=1 envfile=/etc/default/locale | |||||
# SELinux needs to intervene at login time to ensure that the process starts | |||||
# in the proper default security context. Only sessions which are intended | |||||
# to run in the user's context should be run after this. | |||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | |||||
# Standard Un*x password updating. | |||||
@include common-password | |||||
{% set auth = salt['grains.filter_by']({ | {% set auth = salt['grains.filter_by']({ | ||||
'Arch': { | 'Arch': { | ||||
'enabled': false, | 'enabled': false, | ||||
'duo': { | |||||
'enabled': false, | |||||
'duo_host': 'localhost', | |||||
'duo_ikey': '', | |||||
'duo_skey': '' | |||||
} | |||||
}, | }, | ||||
'RedHat': { | 'RedHat': { | ||||
'enabled': false, | 'enabled': false, | ||||
'duo': { | |||||
'enabled': false, | |||||
'duo_host': 'localhost', | |||||
'duo_ikey': '', | |||||
'duo_skey': '' | |||||
} | |||||
}, | }, | ||||
'Debian': { | 'Debian': { | ||||
'enabled': false, | 'enabled': false, | ||||
'duo': { | |||||
'enabled': false, | |||||
'duo_host': 'localhost', | |||||
'duo_ikey': '', | |||||
'duo_skey': '' | |||||
} | |||||
}, | }, | ||||
}, grain='os_family', merge=salt['pillar.get']('linux:system:auth')) %} | }, grain='os_family', merge=salt['pillar.get']('linux:system:auth')) %} | ||||
} | } | ||||
}, | }, | ||||
}, grain='os_family', merge=salt['pillar.get']('linux:monitoring')) %} | }, grain='os_family', merge=salt['pillar.get']('linux:monitoring')) %} | ||||
{%- from "linux/map.jinja" import auth with context %} | {%- from "linux/map.jinja" import auth with context %} | ||||
{%- if auth.enabled %} | {%- if auth.enabled %} | ||||
{%- set pam_modules_enable = "" %} | |||||
{%- set pam_modules_disable = "" %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- if auth.duo.enabled %} | |||||
include: | |||||
- linux.system.auth.duo | |||||
{%- else %} | |||||
{%- set pam_modules_enable = "" %} | |||||
{%- set pam_modules_disable = "" %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
linux_auth_pam_packages: | linux_auth_pam_packages: | ||||
pkg.installed: | pkg.installed: | ||||
- pkgs: [ 'libpam-runtime' ] | - pkgs: [ 'libpam-runtime' ] | ||||
- mode: 755 | - mode: 755 | ||||
- require: | - require: | ||||
- pkg: linux_auth_pam_packages | - pkg: linux_auth_pam_packages | ||||
{%- endif %} | |||||
{%- endif %} | |||||
{%- if auth.get('mkhomedir', {}).get('enabled', False) %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_enable = pam_modules_enable + ' mkhomedir' %} | |||||
{%- if auth.get('mkhomedir', {}).get('enabled', False) %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_enable = pam_modules_enable + ' mkhomedir' %} | |||||
linux_auth_mkhomedir_debconf_package: | linux_auth_mkhomedir_debconf_package: | ||||
pkg.installed: | pkg.installed: | ||||
- pkgs: [ 'debconf-utils' ] | - pkgs: [ 'debconf-utils' ] | ||||
- source: salt://linux/files/mkhomedir | - source: salt://linux/files/mkhomedir | ||||
- template: jinja | - template: jinja | ||||
{%- endif %} | |||||
{%- else %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_disable = pam_modules_disable + ' mkhomedir' %} | |||||
{%- endif %} | |||||
{%- endif %} | {%- endif %} | ||||
{%- else %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_disable = pam_modules_disable + ' mkhomedir' %} | |||||
{%- endif %} | |||||
{%- endif %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- from "linux/map.jinja" import ldap with context %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- from "linux/map.jinja" import ldap with context %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_enable = pam_modules_enable + ' ldap' %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_enable = pam_modules_enable + ' ldap' %} | |||||
linux_auth_ldap_debconf_package: | linux_auth_ldap_debconf_package: | ||||
pkg.installed: | pkg.installed: | ||||
libpam-ldapd/enable_shadow: | libpam-ldapd/enable_shadow: | ||||
type: 'boolean' | type: 'boolean' | ||||
value: 'true' | value: 'true' | ||||
{%- endif %} | |||||
{%- else %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_disable = pam_modules_disable + ' ldap' %} | |||||
{%- endif %} | |||||
{%- endif %} | {%- endif %} | ||||
{%- else %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- set pam_modules_disable = pam_modules_disable + ' ldap' %} | |||||
{%- endif %} | |||||
{%- endif %} | |||||
{#- Setup PAM profiles #} | {#- Setup PAM profiles #} | ||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- if auth.get('mkhomedir', {}).get('enabled', False) %} | |||||
{%- if grains.os_family == 'Debian' %} | |||||
{%- if auth.get('mkhomedir', {}).get('enabled', False) %} | |||||
linux_auth_pam_add_profiles_mkhomedir_enable: | linux_auth_pam_add_profiles_mkhomedir_enable: | ||||
cmd.run: | cmd.run: | ||||
- name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }} | - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }} | ||||
- file: linux_auth_mkhomedir_config | - file: linux_auth_mkhomedir_config | ||||
- require: | - require: | ||||
- file: linux_auth_pam_add_profile | - file: linux_auth_pam_add_profile | ||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
- pkg: linux_auth_ldap_packages | - pkg: linux_auth_ldap_packages | ||||
{%- endif %} | |||||
{%- else %} | |||||
{%- endif %} | |||||
{%- else %} | |||||
linux_auth_pam_remove_profiles_mkhomedir: | linux_auth_pam_remove_profiles_mkhomedir: | ||||
cmd.run: | cmd.run: | ||||
- name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }} | - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }} | ||||
- onlyif: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]" | - onlyif: "[[ `grep -c pam_mkhomedir.so /etc/pam.d/common-session` -ne 0 ]]" | ||||
- require: | - require: | ||||
- pkg: linux_auth_pam_packages | - pkg: linux_auth_pam_packages | ||||
{%- endif %} | |||||
{%- endif %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
linux_auth_pam_add_profiles_ldap: | linux_auth_pam_add_profiles_ldap: | ||||
cmd.run: | cmd.run: | ||||
- name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }} | - name: /usr/local/bin/pam-add-profile {{ pam_modules_enable }} | ||||
- require: | - require: | ||||
- file: linux_auth_pam_add_profile | - file: linux_auth_pam_add_profile | ||||
- pkg: linux_auth_ldap_packages | - pkg: linux_auth_ldap_packages | ||||
{%- else %} | |||||
{%- else %} | |||||
linux_auth_pam_remove_profiles_ldap: | linux_auth_pam_remove_profiles_ldap: | ||||
cmd.run: | cmd.run: | ||||
- name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }} | - name: /usr/sbin/pam-auth-update --remove {{ pam_modules_disable }} | ||||
- onlyif: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]" | - onlyif: "[[ `debconf-get-selections | grep libpam-runtime/profiles | grep -c ldap` -ne 0 ]]" | ||||
- require: | - require: | ||||
- pkg: linux_auth_pam_packages | - pkg: linux_auth_pam_packages | ||||
{%- endif %} | |||||
{%- endif %} | |||||
{%- elif grains.os_family == 'RedHat' %} | |||||
{%- if auth.get('mkhomedir', {}).get('enabled', False) %} | |||||
{%- elif grains.os_family == 'RedHat' %} | |||||
{%- if auth.get('mkhomedir', {}).get('enabled', False) %} | |||||
linux_auth_config_enable_mkhomedir: | linux_auth_config_enable_mkhomedir: | ||||
cmd.run: | cmd.run: | ||||
- name: "authconfig --enablemkhomedir --update" | - name: "authconfig --enablemkhomedir --update" | ||||
- require: | - require: | ||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
- pkg: linux_auth_ldap_packages | - pkg: linux_auth_ldap_packages | ||||
{%- endif %} | |||||
{%- else %} | |||||
{%- endif %} | |||||
{%- else %} | |||||
linux_auth_config_disable_mkhomedir: | linux_auth_config_disable_mkhomedir: | ||||
cmd.run: | cmd.run: | ||||
- name: "authconfig --disablemkhomedir --update" | - name: "authconfig --disablemkhomedir --update" | ||||
- require: | - require: | ||||
- pkg: linux_auth_ldap_packages | - pkg: linux_auth_ldap_packages | ||||
{%- endif %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- endif %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
linux_auth_config_enable_ldap: | linux_auth_config_enable_ldap: | ||||
cmd.run: | cmd.run: | ||||
- name: "authconfig --enableldap --enableldapauth --update" | - name: "authconfig --enableldap --enableldapauth --update" | ||||
- require: | - require: | ||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
- pkg: linux_auth_ldap_packages | - pkg: linux_auth_ldap_packages | ||||
{%- endif %} | |||||
{%- else %} | |||||
{%- endif %} | |||||
{%- else %} | |||||
linux_auth_config_disable_ldap: | linux_auth_config_disable_ldap: | ||||
cmd.run: | cmd.run: | ||||
- name: "authconfig --disableldap --disableldapauth --update" | - name: "authconfig --disableldap --disableldapauth --update" | ||||
- require: | - require: | ||||
- pkg: linux_auth_ldap_packages | - pkg: linux_auth_ldap_packages | ||||
{%- endif %} | |||||
{%- endif %} | {%- endif %} | ||||
{%- endif %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
{%- if auth.get('ldap', {}).get('enabled', False) %} | |||||
linux_auth_nsswitch_config_file: | linux_auth_nsswitch_config_file: | ||||
file.managed: | file.managed: | ||||
- enable: true | - enable: true | ||||
- name: nslcd | - name: nslcd | ||||
{%- endif %} | |||||
{%- endif %} | {%- endif %} | ||||
{%- endif %} | {%- endif %} |
{%- if grains['os'] == 'Ubuntu' %} | |||||
package_duo: | |||||
pkg.installed: | |||||
- name: duo-unix | |||||
login_duo: | |||||
file.managed: | |||||
- name: /etc/duo/login_duo.conf | |||||
- source: salt://linux/files/login_duo.conf | |||||
- template: jinja | |||||
- user: 'root' | |||||
- group: 'root' | |||||
- mode: '0600' | |||||
pam_duo: | |||||
file.managed: | |||||
- name: /etc/duo/pam_duo.conf | |||||
- source: salt://linux/files/login_duo.conf | |||||
- template: jinja | |||||
- user: 'root' | |||||
- group: 'root' | |||||
- mode: '0600' | |||||
pam-sshd_config: | |||||
file.managed: | |||||
- name: /etc/pam.d/sshd | |||||
- user: root | |||||
- group: root | |||||
- source: salt://linux/files/pam-sshd | |||||
- mode: 600 | |||||
- template: jinja | |||||
{%- endif %} | |||||
linux: | |||||
network: | |||||
enabled: false | |||||
hostname: linux | |||||
fqdn: linux.ci.local | |||||
system: | |||||
enabled: true | |||||
at: | |||||
enabled: false | |||||
user: | |||||
root: | |||||
enabled: true | |||||
testuser: | |||||
enabled: true | |||||
cron: | |||||
enabled: false | |||||
user: | |||||
root: | |||||
enabled: false | |||||
cluster: default | |||||
name: linux | |||||
domain: ci.local | |||||
environment: prd | |||||
purge_repos: true | |||||
directory: | |||||
/tmp/test: | |||||
makedirs: true | |||||
apparmor: | |||||
enabled: false | |||||
haveged: | |||||
enabled: true | |||||
prompt: | |||||
default: "linux.ci.local$" | |||||
package: | |||||
htop: | |||||
version: latest | |||||
repo: | |||||
disabled_repo: | |||||
source: "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable" | |||||
enabled: false | |||||
disabled_repo_left_proxy: | |||||
source: "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable" | |||||
enabled: false | |||||
proxy: | |||||
enabled: true | |||||
https: https://127.0.5.1:443 | |||||
saltstack: | |||||
source: "deb [arch=amd64] http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/ xenial main" | |||||
key_url: "http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2017.7/SALTSTACK-GPG-KEY.pub" | |||||
architectures: amd64 | |||||
clean_file: true | |||||
pinning: | |||||
10: | |||||
enabled: true | |||||
pin: 'release o=SaltStack' | |||||
priority: 50 | |||||
package: 'libsodium18' | |||||
20: | |||||
enabled: true | |||||
pin: 'release o=SaltStack' | |||||
priority: 1100 | |||||
package: '*' | |||||
apt-salt: | |||||
source: "deb http://apt.mirantis.com/xenial stable salt" | |||||
#key_url: http://apt.mirantis.com/public.gpg | |||||
# pub 4096R/A76882D3 2015-06-17 | |||||
key: | | |||||
-----BEGIN PGP PUBLIC KEY BLOCK----- | |||||
Version: GnuPG v1 | |||||
mQINBFWBfCIBEADf6lnsY9v4rf/x0ribkFlnHnsv1/yD+M+YgZoQxYdf6b7M4/PY | |||||
zZ/c3uJt4l1vR3Yoocfc1VgtBNfA1ussBqXdmyRBMO1LKdQWnurNxWLW7CwcyNke | |||||
xeBfhjOqA6tIIXMfor7uUrwlIxJIxK+jc3C3nhM46QZpWX5d4mlkgxKh1G4ZRj4A | |||||
mEo2NduLUgfmF+gM1MmAbU8ekzciKet4TsM64WAtHyYllGKvuFSdBjsewO3McuhR | |||||
i1Desb5QdfIU4p3gkIa0EqlkkqX4rowo5qUnl670TNTTZHaz0MxCBoYaGbGhS7gZ | |||||
6/PLm8fJHmU/phst/QmOY76a5efZWbhhnlyYLIB8UjywN+VDqwkNk9jLUSXHTakh | |||||
dnL4OuGoNpIzms8juVFlnuOmx+FcfbHMbhAc7aPqFK+6J3YS4kJSfeHWJ6cTGoU1 | |||||
cLWEhsbU3Gp8am5fnh72RJ7v2sTe/rvCuVtlNufi5SyBPcEUZoxFVWAC/hMeiWzy | |||||
drBIVC73raf+A+OjH8op9XfkVj6czxQ/451soe3jvCDGgTXPLlts+P5WhgWNpDPa | |||||
fOfTHn/2o7NwoM7Vp+BQYKAQ78phsolvNNhf+g51ntoLUbxAGKZYzQ5RPsKo+Hq6 | |||||
96UCFkqhSABk0DvM0LtquzZ+sNoipd02w8EaxQzelDJxvPFGigo1uqGoiQARAQAB | |||||
tCx0Y3BjbG91ZCBzaWduaW5nIGtleSA8YXV0b2J1aWxkQHRjcGNsb3VkLmV1PokC | |||||
OwQTAQIAJQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlWj4K8CGQEACgkQ | |||||
JACFCadogtPm9xAAl1D1RUY1mttjKk+8KI3tUmgtqLaIGUcB4TPbIhQpFy23TJd6 | |||||
BnnEaGZ+HSCj3lp/dBoq1xxCqHCziKA04IpPaLpGJf8cqaKOpQpW1ErlSxT6nCQW | |||||
FrHFxZreBTljKqW3fvRBXNAquj0krJEwv19/3SsQ+CJI2Zkq/HPDw9eJOCu0WcJM | |||||
PVtAq2SmaDigh1jtFcFoWZ7uFFMQPIWit/RCPkDfkFaf6lbYZ/nnvWON9OAgzWci | |||||
GJjCp5a7vMyCpTRy6bgNPqM61omCe0iQ4yIcqANXhRYS/DBnjKr9YaDKnlKNUgd1 | |||||
WRE8QzErQznH/plgISQ+df+8Iunp3SBr/jj1604yyM1Wxppn1+dAoTBU1OPFGVd3 | |||||
mCEYHUe+v0iTZ69C2c1ISmp2MjciGyE/UPbW9ejUIXtFJAJovZjn6P3glyIQB3wq | |||||
AW6JE+xEBWH7Ix+Uv6YNAFfj3UO6vNjtuGbTCWYDCEJRkdmeE7QdTYDo7PxgPl1t | |||||
6xMGPLOBdYNJTEojvRYBTt+6iw0eZ+MCUdUFNeaseQh0p1RgqM9/7t75QCNLl1oO | |||||
+Cfu4vNef/Tpd3LHcUoQhQ2OViOVFbq1/Yu/natWDPDcXb3peTcNHOjmXAoboWbz | |||||
rDkxj5z7vcJ9LMEXviP6Fb/iXDmJh74/o6Agc8efb0WTmFjPFFtMCHrinb+5Ag0E | |||||
VYF8IgEQALUVS2GESQ+F1S4b0JIO1M2tVBXiH4N56eUzcDXxXbSZgCgx4aWhk5vJ | |||||
Qu7M11gtqIoiRbmuFpUmDOG/kB7DxBZPn8WqcBKpky6GUP/A/emaAZTwNQdcDAhD | |||||
foBkJdhVz0D2jnkBffYL055p/r1Ers+iTTNOas/0uc50C32xR823rQ2Nl6/ffIM6 | |||||
JqfQenhRvqUWPj9oqESHMsqEdceSwS/VC7RN4xQXJXfEWu2q4Ahs62RmvCXnTw1A | |||||
sPcpysoBoo8IW+V1MVQEZuAJRn2AGO/Q7uY9TR4guHb3wXRfZ3k0KVUsyqqdusJi | |||||
T3DxxBw6GcKdOH6t41Ys3eYgOrc+RcSdcHYSpxaLvEIhwzarZ+mqcp3gz/JkPlXS | |||||
2tx2l6NZHcgReOM7IhqMuxzBbpcrsbBmLBemC+u7hoPTjUdTHKEwvWaeXL4vgsqQ | |||||
BbEeKmXep5sZg3kHtpXzY9ZfPQrtGB8vHGrfaZIcCKuXwZWGL5GGWKw3TSP4fAIA | |||||
jLxLf5MyyXcsugbai2OY/H4sAuvJHsmGtergGknuR+iFdt5el1wgRKP1r1KdmvMm | |||||
wsSayc6eSEKd689x3zsmAtnhYM31oMkPdeYRbnN15gLG7vcsVe4jug0YTqQt2WGn | |||||
hwjBA0i2qfTorXemWChsxKllvY9aB3ST8I6RMat0kS08FMD+Ced/ABEBAAGJAh8E | |||||
GAECAAkFAlWBfCICGwwACgkQJACFCadogtNicA/9HOM402VGHlmuYPcrvEThHqMK | |||||
KOTtNFsrrPp67dGYaT8TGTgy1OG4Oys2y+hrwqnUK6dXJxX2/RBfRuO/gw65RCfC | |||||
9nWeMkqJTjHJCKNTYfXN4O4ag444UZPcOMq+IyiWF3/sh674zCkCm5DQ/FH8IJ8Y | |||||
n4jMoxe7G48PCGtgcJKXo8NBzxwXJH4DCdk7rNdrbrnCwObG8h6530WrmzKuyFCJ | |||||
QP5JA0MSx23J2OrK2YmVMhTeO0czJ8fRip9We9/qAfZGUEW+sey+nLmT5OJq04al | |||||
Va9g2a4nXxzDy84+hRXQNUeCRYn/ys8d8q9HZNv3K36HlILcuWazNTTh0cuWupBd | |||||
SlIEuWbIdbknYpGsmS1cPeGi0bdoLZv90BIVmdOS/vXP02fGUblyANciKcBPRhOI | |||||
+z6hzwdZ+QvjPbxZUig5XuvqBhIHoRtMBJdf24ysFuf/d4uZzTC8T4rUQO+L29bt | |||||
8riT0dg6cHVwC0VH89FaO1FduvsCtAwdAgxSzOMBECNOmVBThIiWdLnns107Rp4F | |||||
ECk+l2UCjl7zwGqJqcd1BQK+UgZwVG2UV11CrhopKU5oGL84n5DaO2n6Rv8wVdrt | |||||
MKvqi7EkgvZpY0IHJ7rp0Gzrv0qmwJaUFCWFogITNyijb1JVsUgDTMhAkEgEsIYy | |||||
jtcwJrHue5Xn8UPSLkE= | |||||
=SWiA | |||||
-----END PGP PUBLIC KEY BLOCK----- | |||||
architectures: amd64 | |||||
proxy: | |||||
enabled: true | |||||
apt-salt-nightly: | |||||
source: "deb http://apt.mirantis.com/xenial nightly salt" | |||||
key_url: http://apt.mirantis.com/public.gpg | |||||
architectures: amd64 | |||||
proxy: | |||||
enabled: false | |||||
apt-extra-nightly: | |||||
source: "deb http://apt.mirantis.com/xenial nightly extra" | |||||
key_url: http://apt.mirantis.com/public.gpg | |||||
architectures: amd64 | |||||
duo: | |||||
key: | | |||||
-----BEGIN PGP PUBLIC KEY BLOCK----- | |||||
Version: GnuPG v2.0.22 (GNU/Linux) | |||||
mQGiBFIog+QRBACobW/uA1UTaWWDlAhwdQGi+KVOomTVsBA/POo/xXX24kU550o3 | |||||
ngeM0ibqIc/ghLUkt4Q2j08x9NgNEzcSjdG5DboouqBrcF5CoN4DOFaiKGiMq1zL | |||||
14ZmushOHE2Qb0gA0zzxo7GwD/6GSvsH3y1z49JJU5hcXNt9PINsE6KXbwCg+Ob+ | |||||
qesaO7JhIPMiDLBrNh20bHsD/3KYrgGyLhbKKaYQtS9B7HUIyS3zagDmC9EU4OsW | |||||
Tgwo6oDm7OTZ0W9ZSmFJn9IYs7LLu4AeDJqL+pQ83CeHvT205zM6dlgLmUgGvp22 | |||||
4KJ0K9Wp54AP2NqX7ok2y5edI1CDejPm01ZZLd2POXkJgeS43oftvBtkAUl+W0dD | |||||
eHPfA/0ZSsV5CJ0qyaLCtnUsoWczXs460Zs4vxvKkuMdUBwZz9W1RyhBvWdsxn0l | |||||
5cwk+rv/49VaYP97M2hPQtrAi7WkRtiU34ze/7Pkpv4+Qiwg9vQjZtMbwzYhWSXt | |||||
C3ps0SyuwkvcHWoCejnqkdlTeZpfeQMQAvjonMyBpdgH0sgf6LQyRHVvIFNlY3Vy | |||||
aXR5IFBhY2thZ2UgU2lnbmluZyA8ZGV2QGR1b3NlY3VyaXR5LmNvbT6IZgQTEQIA | |||||
JgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJbfxQqBQkNGPdGAAoJEBzJH8YV | |||||
0y78WGMAoPSPCVhvfjJFj0c4UQgRHL9zApThAJ9W2f39jm6qCshHoltGRxFAPvel | |||||
y7kEDQRSKIVDEBAAiu/l6B3dn0jhLyQsszyAwA1RHh3u4a6a7B4niRX+8zQ8LkQh | |||||
VWADc9TXPgPiKxAZyivhgupk9CHkUaRpgyHm/jK5wIZCV6bgQ62QJymfE1FdF5m7 | |||||
uuq9IvfY/GTWdVwLA/XOxMw6AJMR+WiwNTd0OvlxD1C8u3TZiwEjuPatWVhPfRlT | |||||
+ISgsntjf1DdnyjqLNsOFqj4IDV8nEPlzzNHAhS8axeJAnIMkDG6RyLK2cakZahw | |||||
R/2VYH4K0zjtguyfK/+w5Md9VlEsHgVKfef+Lwwbo/MJ6evsHoEYGr7CvzNxSlse | |||||
2p+3J88YY7tcrlLQRlmhqf3YARS4mjPXnW3fIhlOjCcUStxIT6qvX1a9q7ap7yoP | |||||
KpmXiQKqivg8eWmTFp5UACWYdcX/FXDvamd/6fwEniOtvNcblP5jQcipUAepd9uK | |||||
A6hpN+uwJvp7kIqRvHB7OhZbjKLvkRishZAPvrRt6VUUdmX9fGj/KiqIVB1Xc7cE | |||||
1JwybE+vtY4CSq2CGUYeo0A4a0mq1GCGE4U+00t6ci4xEBtp3+WYbyluZzyBf62l | |||||
m5mFmCZ4fqu19ULB6yzmzcFxmMtw3lYPIgs7VbVSF1GjJ1n1nyLZ6mc+mBdHkhrx | |||||
tueir0NP0yhwpjC+RngKdQCJkFaEbnNprZBi8PviuP7VKFCxSTePWYdwzaMAAwUP | |||||
/3e8bgmKChAzdQroO/4MI6xBe0rCKur11J6lWINsm7oqtvjixqbAViiCKKhpNEgS | |||||
XytDy77a9uUewjlhlVzKQV+4CZ58plxJd2ge0IvQagA5qW7/qr9QWd3h/cUWeuLb | |||||
eg5iHd/uXS5LePz/jzUHgzuDrrfv2AfvPMLR4fv6lt6mg0I8P2Su5rBWXpP+zybf | |||||
lj8CX+bt6ngxPIka8BOUwgfXfp4zwygB8YonpEV24dbgzeeT8cIJ9B67MNgprZjI | |||||
un/0qHMo47sQxATRcqJIO3n/d/m1Rrd6b33T40xVXWvKu9SEoJ94ZbugGCkgR8LT | |||||
3ir42GCFIJUahkR5ObLa9d4H5Mo1FyKsp9MqZ2p0xji4eBsNDJegiJnW+BIzuBaI | |||||
io7kp9c8y+X1ew4MtRYsHaiaKybzINKHQeDNDgdKdno1bRSmuQ0pAa97bfgQRtNR | |||||
4RbB9izjHrdz0FYzzSCCglUqwc4Fgc4Z/6gsIIl743MVJp6VKh8hOfQiE5JhzgxY | |||||
vuGS0zrdyPEtEBTgIdMviCabgZZQCMseajFoOfNfKdtVYunAS6+X+b1Qby4WDcIV | |||||
cde6FFvjvIM4HxS0OIob2ikXIltfIDoHli2QtsZa948QVrqGvqsfcQCjWcS8bVnb | |||||
KLlyAI2kz675GFDmj+BKJomA4z2VW5yXtWFMeYmDYYTliE8EGBECAA8CGwwFAlt/ | |||||
FDoFCQ0Y9fcACgkQHMkfxhXTLvzPBwCgp38icsfj38GinpxMpGF02yxpemUAn1kr | |||||
WbTIiN63dr6gdz7hoZJ7PFmJ | |||||
=t1j7 | |||||
-----END PGP PUBLIC KEY BLOCK----- | |||||
source: "deb [arch=amd64] http://pkg.duosecurity.com/Ubuntu xenial main" | |||||
architectures: amd64 | |||||
locale: | |||||
en_US: | |||||
enabled: true | |||||
default: true | |||||
cs_CZ: | |||||
enabled: true | |||||
autoupdates: | |||||
enabled: true | |||||
sudo: | |||||
enabled: false | |||||
env: | |||||
BOB_VARIABLE: Alice | |||||
LANG: C | |||||
LC_ALL: C | |||||
login_defs: | |||||
PASS_MAX_DAYS: | |||||
value: 99 | |||||
shell: | |||||
umask: '027' | |||||
timeout: 900 | |||||
profile: | |||||
vi_flavors.sh: | | |||||
export PAGER=view | |||||
alias vi=vim | |||||
locales: | | |||||
export LANG=en_US | |||||
export LC_ALL=en_US.UTF-8 | |||||
auth: | |||||
enabled: true | |||||
duo: | |||||
enabled: true | |||||
duo_host: localhost | |||||
duo_ikey: DUO-INTEGRATION-KEY | |||||
duo_skey: DUO-SECRET-KEY | |||||