Merge remote-tracking branch 'upstream/master'

pebtron · Jun 14, 2018 · 12677cd · 12677cd
2 parents 04a426a + 925b0b6
commit 12677cd
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 102 deletions.
diff --git a/README.md b/README.md
@@ -1,18 +1,21 @@
-#duo_unix Puppet Module
+# duo_unix Puppet v3 Module (Dev Status: Inactive)
 
-##Table of Contents
+:exclamation: **This project was archived on 2/20/2018.**
 
-### [Overview](#overview)
-### [Description](#description)
-### [Example Usage](#example-usage)
-### [Reference](#reference)
-### [Limitations](#limitations)
+## Table of Contents
 
-##Overview
+### [Overview](#overview-1)
+### [Description](#description-1)
+### [Installing](#installing-1)
+### [Configuring](#configuring-1)
+### [Reference](#reference-1)
+### [Support and Limitations](#support-and-limitations-1)
 
-The duo_unix module installs and manages duo_unix (`login_duo` or `pam_duo`).
+## Overview
 
-##Description
+The duo_unix Puppet module installs and manages duo_unix (`login_duo` or `pam_duo`).
+
+## Description
 
 The duo_unix module handles the deployment of duo_unix (`login_duo` or 
 `pam_duo`) across a range of Linux distributions. The module will handle 
@@ -22,107 +25,117 @@ of OpenSSH, and PAM alterations as needed.
 For further information about duo_unix, view the official
 [documentation](https://www.duosecurity.com/docs/duounix).
 
-##Installing
+## Installing
 
-```
-$ puppet module install duosecurity-duo_unix
+```sh
+puppet module install duosecurity-duo_unix
 ```
 
-##Configuring
+## Configuring
 
-```
-$ cat duo_unix.pp
+```ruby
+# duo_unix.pp
 class { 'duo_unix':
   usage     => 'login',
   ikey      => 'YOUR-IKEY-VALUE',
   skey      => 'YOUR-SKEY-VALUE',
   host      => 'YOUR-HOST-VALUE',
   pushinfo  => 'yes'
 }
-$ puppet apply duo_unix.pp
 ```
 
-##Reference
+```sh
+puppet apply duo_unix.pp
+```
 
-###Classes
+## Reference
 
-* duo_unix - Main class, includes all of the rest
-* duo_unix::apt - Repository configuration for Apt-based distributions
-* duo_unix::generic - Provides cross-platform resources
-* duo_unix::login - Configuration of `login_duo` functionality
-* duo_unix::pam - Configuration of `pam_duo` functionality
-* duo_unix::yum - Repository configuration for Yum-based distributions
+### Classes
 
-###Parameters
+* `duo_unix` - Main class, includes all of the rest
+* `duo_unix::apt` - Repository configuration for Apt-based distributions
+* `duo_unix::generic` - Provides cross-platform resources
+* `duo_unix::login` - Configuration of `login_duo` functionality
+* `duo_unix::pam` - Configuration of `pam_duo` functionality
+* `duo_unix::yum` - Repository configuration for Yum-based distributions
+
+### Parameters
 
 The following parameters are available to configure in the duo_unix module.
 Please note that many parameters have default settings and some are required
 while others are optional.
 
-####`usage [required]`
-This determines whether `login_duo` or `pam_duo` is utilized. Valid options are
-*login* or *pam*.
+#### `usage [required]`
+  This determines whether `login_duo` or `pam_duo` is utilized. Valid options are
+  *login* or *pam*.
+
+#### `ikey [required]`
+  Configures the integration key (*ikey*) value.
+
+#### `skey [required]`
+  Configures the secret key (*skey*) value.
 
-####`ikey [required]`
-Configures the integration key (*ikey*) value.
+#### `host [required]`
+  Configures the API host (*host*) value.
 
-####`skey [required]`
-Configures the secret key (*skey*) value.
+#### `fallback_local_ip [optional]`
+  Configures whether or not to fallback to the server's IP. Valid options are 
+  *yes* and *no*. The default is *no*.
 
-####`host [required]`
-Configures the API host (*host*) value.
+#### `failmode [optional]`
+  Configures how to fail if the Duo service is misconfigured. Valid options are 
+  *safe* (open) and *secure* (closed). The default is *safe*.
 
-####`fallback_local_ip [optional]`
-Configures whether or not to fallback to the server's IP. Valid options are 
-*yes* and *no*. The default is *no*.
+#### `pushinfo [optional]`
+  Configures whether to show command execution details in the push notification.
+  Valid options are *yes* and *no*. The default is *no*.
 
-####`failmode [optional]`
-Configures how to fail if the Duo service is misconfigured. Valid options are 
-*safe* (open) and *secure* (closed). The default is *safe*.
+#### `autopush [optional]`
+  Configures whether to send a push automatically to a user if their phone is 
+  capable. Valid options are *yes* and *no*. The default is *no*.
 
-####`pushinfo [optional]`
-Configures whether to show command execution details in the push notification.
-Valid options are *yes* and *no*. The default is *no*.
+#### `prompts [optional]`
+  Configures the number of times a user will be prompted to complete their second
+  factor authentication. Valid options are *1*, *2*, and *3*. The default is *3*.
 
-####`autopush [optional]`
-Configures whether to send a push automatically to a user if their phone is 
-capable. Valid options are *yes* and *no*. The default is *no*.
+#### `accept_env_factor [optional]`
+  Configures whether an environment variable can be configured with a passcode to
+  complete the second factor authentication. Valid options are *yes* and *no*.
+  The default is *no*.
 
-####`prompts [optional]`
-Configures the number of times a user will be prompted to complete their second
-factor authentication. Valid options are *1*, *2*, and *3*. The default is *3*.
+#### `motd [optional]`
+  Configures if a successful login will print `/etc/motd` to the user. This is
+  only an option for `login_duo`. Valid options are *yes* and *no*. The default
+  is *no*.
 
-####`accept_env_factor [optional]`
-Configures whether an environment variable can be configured with a passcode to
-complete the second factor authentication. Valid options are *yes* and *no*.
-The default is *no*.
+#### `group [optional]`
+  Configures a Unix group that will have duo_unix enabled for the associated
+  users. There is no default for this setting.
 
-####`motd [optional]`
-Configures if a successful login will print `/etc/motd` to the user. This is
-only an option for `login_duo`. Valid options are *yes* and *no*. The default
-is *no*.
+#### `http_proxy [optional]`
+  Configures usage of the http_proxy environment variable. There is not default
+  for this setting.
 
-####`group [optional]`
-Configures a Unix group that will have duo_unix enabled for the associated
-users. There is no default for this setting.
+#### `manage_ssh [optional]`
+  Configures whether or not to allow the module to manage the SSH service/package. 
+  The default is *true*.
 
-####`http_proxy [optional]`
-Configures usage of the http_proxy environment variable. There is not default
-for this setting.
+#### `manage_pam [optinal]`
+  Configures whether or not to allow the module to manage the system PAM configuration.
+  The default is *true*.
 
-####`manage_ssh [optional]`
-Configures whether or not to allow the module to manage the SSH service/package. 
-The default is *true*.
+#### `pam_unix_control [optional]`
+  Configures the PAM control value for pam_duo. The default is *requisite*.
 
-####`pam_unix_control [optional]`
-Configures the PAM control value for pam_duo. The default is *requisite*.
+#### `package_version [optional]`
+  Configure which version of Duo Unix to use.
+  The default is *latest*.
 
-####`package_version [optional]`
-Configure which version of Duo Unix to use.
-The default is *latest*.
+## Support and Limitations
 
-##Limitations
-This module has been built on and tested against Puppet 3.2.4
+This module built on and tested against Puppet 3.2.4. It does not yet support 
+Puppet 4 and is no longer being actively developed. Duo continues to provide 
+best-effort support for this module.
 
 The module has been tested on:
 
@@ -138,17 +151,17 @@ The module has been tested on:
 * Ubuntu 14.04.3 (32/64-bit)
 
 If you test the module on other Linux distributions (or different versions of 
-the above), please provide feedback as able on successes or failures. We will
-work to add support for other operating systems and Linux distributions soon.
+the above), please provide feedback as able on successes or failures. 
 
 **Caution:** The use of this module will edit OpenSSH and/or PAM configuration 
 files depending on the usage defined. These modifications have only been tested
 against default distribution configurations and could impact your settings. Be 
 sure to test this module against non-production systems before attempting to 
 deploy it across your critical infrastucture.
 
-##Thanks
+## Thanks
 * Gregg Leventhal
 * level99
 * Denise Stockman
 * Dan Cox
+* Mark Stanislav
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -20,6 +20,7 @@
   $prompts = '3',
   $accept_env_factor = 'no',
   $manage_ssh = true,
+  $manage_pam = true,
   $pam_unix_control = 'requisite',
   $package_version = 'installed',
 ) {

diff --git a/manifests/pam.pp b/manifests/pam.pp
@@ -31,31 +31,32 @@
     }
   }
 
-  if $::osfamily == 'RedHat' {
-    augeas { 'PAM Configuration':
-      changes => [
-        "set ${aug_pam_path}/2/control ${duo_unix::pam_unix_control}",
-        "ins 100 after ${aug_pam_path}/2",
-        "set ${aug_pam_path}/100/type auth",
-        "set ${aug_pam_path}/100/control sufficient",
-        "set ${aug_pam_path}/100/module ${duo_unix::pam_module}"
-      ],
-      require => Package[$duo_unix::duo_package],
-      onlyif  => "match ${aug_match} size == 0";
-    }
+  if $duo_unix::manage_pam {
+    if $::osfamily == 'RedHat' {
+      augeas { 'PAM Configuration':
+        changes => [
+          "set ${aug_pam_path}/2/control ${duo_unix::pam_unix_control}",
+          "ins 100 after ${aug_pam_path}/2",
+          "set ${aug_pam_path}/100/type auth",
+          "set ${aug_pam_path}/100/control sufficient",
+          "set ${aug_pam_path}/100/module ${duo_unix::pam_module}"
+        ],
+        require => Package[$duo_unix::duo_package],
+        onlyif  => "match ${aug_match} size == 0";
+      }
 
-  } else {
-    augeas { 'PAM Configuration':
-      changes => [
-        "set ${aug_pam_path}/1/control ${duo_unix::pam_unix_control}",
-        "ins 100 after ${aug_pam_path}/1",
-        "set ${aug_pam_path}/100/type auth",
-        "set ${aug_pam_path}/100/control '[success=1 default=ignore]'",
-        "set ${aug_pam_path}/100/module ${duo_unix::pam_module}"
-      ],
-      require => Package[$duo_unix::duo_package],
-      onlyif  => "match ${aug_match} size == 0";
+    } else {
+      augeas { 'PAM Configuration':
+        changes => [
+          "set ${aug_pam_path}/1/control ${duo_unix::pam_unix_control}",
+          "ins 100 after ${aug_pam_path}/1",
+          "set ${aug_pam_path}/100/type auth",
+          "set ${aug_pam_path}/100/control '[success=1 default=ignore]'",
+          "set ${aug_pam_path}/100/module ${duo_unix::pam_module}"
+        ],
+        require => Package[$duo_unix::duo_package],
+        onlyif  => "match ${aug_match} size == 0";
+      }
     }
   }
-
 }
diff --git a/templates/duo.conf.erb b/templates/duo.conf.erb
@@ -33,7 +33,7 @@ motd=<%= @motd %>
 <% if @group != '' -%>
 
 ; Group restriction
-group=<%= @group %>
+groups=<%= @group %>
 <% end -%>
 <% if @http_proxy != '' -%>