Browse Source
Merge pull request #60 from maytechnet/feature/googleauth
google authentication pam module supportlookup-fix-3
Forrest
9 years ago
4 changed files with 74 additions and 6 deletions
+ 12
- 0
pillar.example
View File
| @@ -28,6 +28,18 @@ users: | |||
| - PUBLICKEY | |||
| ssh_auth.absent: | |||
| - PUBLICKEY_TO_BE_REMOVED | |||
| google_auth: | |||
| ssh: | | |||
| SOMEGAUTHHASHVAL | |||
| " RESETTING_TIME_SKEW 46956472+2 46991595-2 | |||
| " RATE_LIMIT 3 30 1415800560 | |||
| " DISALLOW_REUSE 47193352 | |||
| " TOTP_AUTH | |||
| 11111111 | |||
| 22222222 | |||
| 33333333 | |||
| 44444444 | |||
| 55555555 | |||
| ## Absent user | |||
| cuser: | |||
+ 15
- 0
users/googleauth.sls
View File
| @@ -0,0 +1,15 @@ | |||
| # vim: sts=2 ts=2 sw=2 et ai | |||
| {% from "users/map.jinja" import users with context %} | |||
| googleauth-package: | |||
| pkg.installed: | |||
| - name: {{ users.googleauth_package }} | |||
| - require: | |||
| - file: {{ users.googleauth_dir }} | |||
| {{ users.googleauth_dir }}: | |||
| file: | |||
| - directory | |||
| - user: root | |||
| - group: {{ users.root_group }} | |||
| - mode: 600 | |||
+ 39
- 6
users/init.sls
View File
| @@ -1,6 +1,29 @@ | |||
| # vim: sts=2 ts=2 sw=2 et ai | |||
| {% from "users/map.jinja" import users with context %} | |||
| {% set used_sudo = False %} | |||
| {% set used_sudo = [] %} | |||
| {% set used_googleauth = [] %} | |||
| {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} | |||
| {%- if user == None -%} | |||
| {%- set user = {} -%} | |||
| {%- endif -%} | |||
| {%- if 'sudouser' in user and user['sudouser'] %} | |||
| {%- do used_sudo.append(1) %} | |||
| {%- endif %} | |||
| {%- if 'google_auth' in user %} | |||
| {%- do used_googleauth.append(1) %} | |||
| {%- endif %} | |||
| {%- endfor %} | |||
| {%- if used_sudo or used_googleauth %} | |||
| include: | |||
| {%- if used_sudo %} | |||
| - users.sudo | |||
| {%- endif %} | |||
| {%- if used_googleauth %} | |||
| - users.googleauth | |||
| {%- endif %} | |||
| {%- endif %} | |||
| {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} | |||
| {%- if user == None -%} | |||
| @@ -145,11 +168,6 @@ ssh_auth_delete_{{ name }}_{{ loop.index0 }}: | |||
| {% endif %} | |||
| {% if 'sudouser' in user and user['sudouser'] %} | |||
| {% if not used_sudo %} | |||
| {% set used_sudo = True %} | |||
| include: | |||
| - users.sudo | |||
| {% endif %} | |||
| sudoer-{{ name }}: | |||
| file.managed: | |||
| @@ -187,6 +205,21 @@ sudoer-{{ name }}: | |||
| - name: {{ users.sudoers_dir }}/{{ name }} | |||
| {% endif %} | |||
| {%- if 'google_auth' in user %} | |||
| {%- for svc in user['google_auth'] %} | |||
| googleauth-{{ svc }}-{{ name }}: | |||
| file.managed: | |||
| - replace: false | |||
| - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }} | |||
| - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}' | |||
| - user: root | |||
| - group: {{ users.root_group }} | |||
| - mode: 600 | |||
| - require: | |||
| - pkg: googleauth-package | |||
| {%- endfor %} | |||
| {%- endif %} | |||
| {% endfor %} | |||
| {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %} | |||
+ 8
- 0
users/map.jinja
View File
| @@ -3,37 +3,45 @@ | |||
| 'Debian': { | |||
| 'sudoers_dir': '/etc/sudoers.d', | |||
| 'sudoers_file': '/etc/sudoers', | |||
| 'googleauth_dir': '/etc/google_authenticator.d', | |||
| 'root_group': 'root', | |||
| 'shell': '/bin/bash', | |||
| 'visudo_shell': '/bin/bash', | |||
| 'bash_package': 'bash', | |||
| 'sudo_package': 'sudo', | |||
| 'googleauth_package': 'libpam-google-authenticator', | |||
| }, | |||
| 'Gentoo': { | |||
| 'sudoers_dir': '/etc/sudoers.d', | |||
| 'sudoers_file': '/etc/sudoers', | |||
| 'googleauth_dir': '/etc/google_authenticator.d', | |||
| 'root_group': 'root', | |||
| 'shell': '/bin/bash', | |||
| 'visudo_shell': '/bin/bash', | |||
| 'bash_package': 'app-shells/bash', | |||
| 'sudo_package': 'app-admin/sudo', | |||
| 'googleauth_package': 'libpam-google-authenticator', | |||
| }, | |||
| 'FreeBSD': { | |||
| 'sudoers_dir': '/usr/local/etc/sudoers.d', | |||
| 'sudoers_file': '/usr/local/etc/sudoers', | |||
| 'googleauth_dir': '/usr/local/etc/google_authenticator.d', | |||
| 'root_group': 'wheel', | |||
| 'shell': '/bin/csh', | |||
| 'visudo_shell': '/usr/local/bin/bash', | |||
| 'bash_package': 'bash', | |||
| 'sudo_package': 'sudo', | |||
| 'googleauth_package': 'pam_google_authenticator', | |||
| }, | |||
| 'default': { | |||
| 'sudoers_dir': '/etc/sudoers.d', | |||
| 'sudoers_file': '/etc/sudoers', | |||
| 'googleauth_dir': '/etc/google_authenticator.d', | |||
| 'root_group': 'root', | |||
| 'shell': '/bin/bash', | |||
| 'visudo_shell': '/bin/bash', | |||
| 'bash_package': 'bash', | |||
| 'sudo_package': 'sudo', | |||
| 'googleauth_package': 'libpam-google-authenticator', | |||
| }, | |||
| }, merge=salt['pillar.get']('users:lookup')) %} | |||
Loading…