Saltstack Official Users Formula

пре 9 година
пре 9 година
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
  1. # vim: sts=2 ts=2 sw=2 et ai
  2. {%- from "users/map.jinja" import users with context %}
  3. {%- if not grains['os_family'] in ['Suse'] %}
  4. users_googleauth-package:
  5. pkg.installed:
  6. - name: {{ users.googleauth_package }}
  7. - require:
  8. - file: {{ users.googleauth_dir }}
  9. users_{{ users.googleauth_dir }}:
  10. file.directory:
  11. - name: {{ users.googleauth_dir }}
  12. - user: root
  13. - group: {{ users.root_group }}
  14. - mode: '0700'
  15. {%- if grains['os_family'] == 'RedHat' and "selinux" in grains and grains.selinux.enabled %}
  16. policycoreutils-package:
  17. pkg.installed:
  18. - pkgs:
  19. - policycoreutils
  20. {%- if grains['osmajorrelease']|int <= 7 %}
  21. - policycoreutils-python
  22. {%- else %}
  23. - policycoreutils-python-utils
  24. {%- endif %}
  25. users_googleauth_selinux_present:
  26. selinux.fcontext_policy_present:
  27. - name: "{{ users.googleauth_dir }}(/.*)?"
  28. - filetype: 'a'
  29. - sel_user: unconfined_u
  30. - sel_type: ssh_home_t
  31. - sel_level: s0
  32. - require:
  33. - pkg: policycoreutils-package
  34. {%- endif %}
  35. {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
  36. {%- if 'google_auth' in user %}
  37. {%- for svc in user['google_auth'] %}
  38. {%- if user.get('google_2fa', True) %}
  39. {%- set repl = '{0} {1} {2} {3} {4}{5}/{6}_{7} {8}'.format(
  40. 'auth',
  41. '[success=done new_authtok_reqd=done default=die]',
  42. 'pam_google_authenticator.so',
  43. 'user=root',
  44. 'secret=',
  45. users.googleauth_dir,
  46. '${USER}',
  47. svc,
  48. 'echo_verification_code',
  49. ) %}
  50. users_googleauth-pam-{{ svc }}-{{ name }}:
  51. file.replace:
  52. - name: /etc/pam.d/{{ svc }}
  53. {%- if grains['os_family'] == 'RedHat' %}
  54. - pattern: '^(auth[ \t]*substack[ \t]*password-auth)'
  55. {%- else %}
  56. - pattern: '^(@include[ \t]*common-auth)'
  57. {%- endif %}
  58. - repl: '{{ repl }}\n\1'
  59. - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
  60. - backup: .bak
  61. {%- endif %}
  62. {%- endfor %}
  63. {%- endif %}
  64. {%- endfor %}
  65. {%- if grains['os_family'] == 'RedHat' and "selinux" in grains and grains.selinux.enabled %}
  66. users_googleauth_selinux_applied:
  67. selinux.fcontext_policy_applied:
  68. - name: {{ users.googleauth_dir }}
  69. {%- endif %}
  70. sshd:
  71. service.running:
  72. - watch:
  73. - file: /etc/ssh/sshd_config
  74. sshd_config:
  75. file.replace:
  76. - name: /etc/ssh/sshd_config
  77. - pattern: '^(ChallengeResponseAuthentication|KbdInteractiveAuthentication).*'
  78. - repl: '\1 yes'
  79. {%- endif %}