users-formula/users/googleauth.sls

# vim: sts=2 ts=2 sw=2 et ai
{%- from "users/map.jinja" import users with context %}

{%- if not grains['os_family'] in ['Suse'] %}
{%-   if salt['grains.get']('osfinger', '') in ['Amazon Linux-2'] %}
users_epel_repo:
  pkgrepo.managed:
    - name: epel
    - humanname: Extra Packages for Enterprise Linux 7 - $basearch
    - mirrorlist: https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
    - enabled: 1
    - gpgcheck: 1
    - gpgkey: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
    - failovermethod: priority
    - require_in:
      - pkg: users_googleauth-package
{%-   endif %}

users_googleauth-package:
  pkg.installed:
    - name: {{ users.googleauth_package }}
    - require:
      - file: {{ users.googleauth_dir }}

users_{{ users.googleauth_dir }}:
  file.directory:
    - name: {{ users.googleauth_dir }}
    - user: root
    - group: {{ users.root_group }}
    - mode: '0700'

{%-   if grains['os_family'] == 'RedHat' and "selinux" in grains and grains.selinux.enabled %}
policycoreutils-package:
  pkg.installed:
    - pkgs:
      - policycoreutils
{%-     if grains['osmajorrelease']|int <= 7 %}
      - policycoreutils-python
{%-     else %}
      - policycoreutils-python-utils
{%-     endif %}
users_googleauth_selinux_present:
  selinux.fcontext_policy_present:
    - name: "{{ users.googleauth_dir }}(/.*)?"
    - filetype: 'a'
    - sel_user: unconfined_u
    - sel_type: ssh_home_t
    - sel_level: s0
    - require:
        - pkg: policycoreutils-package
{%-   endif %}

{%-   for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
{%-     if 'google_auth' in user %}
{%-       for svc in user['google_auth'] %}
{%-         if user.get('google_2fa', True) %}
{%-           set repl = '{0}       {1}   {2} {3} {4}{5}/{6}_{7} {8}'.format(
                             'auth',
                             '[success=done new_authtok_reqd=done default=die]',
                             'pam_google_authenticator.so',
                             'user=root',
                             'secret=',
                             users.googleauth_dir,
                             '${USER}',
                             svc,
                             'echo_verification_code',
                         ) %}
users_googleauth-pam-{{ svc }}-{{ name }}:
  file.replace:
    - name: /etc/pam.d/{{ svc }}
{%- if grains['os_family'] == 'RedHat' %}
    - pattern: '^(auth[ \t]*substack[ \t]*password-auth)'
{%- else %}
    - pattern: '^(@include[ \t]*common-auth)'
{%- endif %}
    - repl: '{{ repl }}\n\1'
    - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
    - backup: .bak
{%-         endif %}
{%-       endfor %}
{%-     endif %}
{%-   endfor %}

{%-   if grains['os_family'] == 'RedHat' and "selinux" in grains and grains.selinux.enabled %}
users_googleauth_selinux_applied:
  selinux.fcontext_policy_applied:
    - name: {{ users.googleauth_dir }}
{%-   endif %}

sshd:
  service.running:
    - watch:
      - file: /etc/ssh/sshd_config

sshd_config:
  file.replace:
    - name: /etc/ssh/sshd_config
    - pattern: '^(ChallengeResponseAuthentication|KbdInteractiveAuthentication).*'
    - repl: '\1 yes'

{%- endif %}