Merge pull request #60 from maytechnet/feature/googleauth

google authentication pam module support

pillar.example

       - PUBLICKEY
     ssh_auth.absent:
       - PUBLICKEY_TO_BE_REMOVED
+    google_auth:
+      ssh: |
+        SOMEGAUTHHASHVAL
+        " RESETTING_TIME_SKEW 46956472+2 46991595-2
+        " RATE_LIMIT 3 30 1415800560
+        " DISALLOW_REUSE 47193352
+        " TOTP_AUTH
+        11111111
+        22222222
+        33333333
+        44444444
+        55555555
 
   ## Absent user
   cuser:

users/googleauth.sls

+# vim: sts=2 ts=2 sw=2 et ai
+{% from "users/map.jinja" import users with context %}
+
+googleauth-package:
+  pkg.installed:
+    - name: {{ users.googleauth_package }}
+    - require:
+      - file: {{ users.googleauth_dir }} 
+
+{{ users.googleauth_dir }}:
+  file:
+    - directory
+    - user: root
+    - group: {{ users.root_group }}
+    - mode: 600

users/init.sls

 # vim: sts=2 ts=2 sw=2 et ai
 {% from "users/map.jinja" import users with context %}
-{% set used_sudo = False %}
+{% set used_sudo = [] %}
+{% set used_googleauth = [] %}
+
+{%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
+{%- if user == None -%}
+{%- set user = {} -%}
+{%- endif -%}
+{%- if 'sudouser' in user and user['sudouser'] %}
+{%- do used_sudo.append(1) %}
+{%- endif %}
+{%- if 'google_auth' in user %}
+{%- do used_googleauth.append(1) %}
+{%- endif %}
+{%- endfor %}
+
+{%- if used_sudo or used_googleauth %}
+include:
+{%- if used_sudo %}
+  - users.sudo
+{%- endif %}
+{%- if used_googleauth %}
+  - users.googleauth
+{%- endif %}
+{%- endif %}
 
 {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
 {%- if user == None -%}
 {% endif %}
 
 {% if 'sudouser' in user and user['sudouser'] %}
-{% if not used_sudo %}
-{% set used_sudo = True %}
-include:
-  - users.sudo
-{% endif %}
 
 sudoer-{{ name }}:
   file.managed:
     - name: {{ users.sudoers_dir }}/{{ name }}
 {% endif %}
 
+{%- if 'google_auth' in user %}
+{%- for svc in user['google_auth'] %}
+googleauth-{{ svc }}-{{ name }}:
+  file.managed:
+    - replace: false
+    - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
+    - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
+    - user: root
+    - group: {{ users.root_group }}
+    - mode: 600
+    - require:
+      - pkg: googleauth-package
+{%- endfor %}
+{%- endif %}
+
 {% endfor %}
 
 {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

users/map.jinja

   'Debian': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
     'root_group': 'root',
     'shell': '/bin/bash',
     'visudo_shell': '/bin/bash',
     'bash_package': 'bash',
     'sudo_package': 'sudo',
+    'googleauth_package': 'libpam-google-authenticator',
   },
   'Gentoo': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
     'root_group': 'root',
     'shell': '/bin/bash',
     'visudo_shell': '/bin/bash',
     'bash_package': 'app-shells/bash',
     'sudo_package': 'app-admin/sudo',
+    'googleauth_package': 'libpam-google-authenticator',
   },
   'FreeBSD': {
     'sudoers_dir': '/usr/local/etc/sudoers.d',
     'sudoers_file': '/usr/local/etc/sudoers',
+    'googleauth_dir': '/usr/local/etc/google_authenticator.d',
     'root_group': 'wheel',
     'shell': '/bin/csh',
     'visudo_shell': '/usr/local/bin/bash',
     'bash_package': 'bash',
     'sudo_package': 'sudo',
+    'googleauth_package': 'pam_google_authenticator',
   },
   'default': {
     'sudoers_dir': '/etc/sudoers.d',
     'sudoers_file': '/etc/sudoers',
+    'googleauth_dir': '/etc/google_authenticator.d',
     'root_group': 'root',
     'shell': '/bin/bash',
     'visudo_shell': '/bin/bash',
     'bash_package': 'bash',
     'sudo_package': 'sudo',
+    'googleauth_package': 'libpam-google-authenticator',
   },
 }, merge=salt['pillar.get']('users:lookup')) %}