Initial Commit

.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

.vagrant/machines/default/virtualbox/action_set_name

@@ -0,0 +1 @@
+1585690149

.vagrant/machines/default/virtualbox/creator_uid

@@ -0,0 +1 @@
+1000

.vagrant/machines/default/virtualbox/id

@@ -0,0 +1 @@
+41f4bbd1-36c9-4f47-876c-7aa50b09f29a

.vagrant/machines/default/virtualbox/index_uuid

@@ -0,0 +1 @@
+570d20849699415986acc997c20df779

.vagrant/machines/default/virtualbox/vagrant_cwd

@@ -0,0 +1 @@
+/home/vagrant/Documents/ansible-roles/auth_duo

.vagrant/rgloader/loader.rb

@@ -0,0 +1,9 @@
+# This file loads the proper rgloader/loader.rb file that comes packaged
+# with Vagrant so that encoded files can properly run with Vagrant.
+
+if ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"]
+  require File.expand_path(
+    "rgloader/loader", ENV["VAGRANT_INSTALLER_EMBEDDED_DIR"])
+else
+  raise "Encoded files can't be read outside of the Vagrant installer."
+end

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

Vagrantfile

@@ -0,0 +1,70 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box = "cybercinch/centos7"
+
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+  # config.vm.network "private_network", ip: "192.168.33.10"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Display the VirtualBox GUI when booting the machine
+  #   vb.gui = true
+  #
+  #   # Customize the amount of memory on the VM:
+  #   vb.memory = "1024"
+  # end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+  # config.vm.provision "shell", inline: <<-SHELL
+  #   apt-get update
+  #   apt-get install -y apache2
+  # SHELL
+end

defaults/main.yml

@@ -0,0 +1,14 @@
+---
+# defaults file for auth_duo
+auth_duo_install_repo: true
+auth_duo_reponame: duosecurity
+# The settings which will be applied to  /etc/duo/login_duo.conf
+# Minimal settings are ikey, skey and host
+# For more please check https://duo.com/docs/duounix#duo-configuration-options
+auth_duo_settings:
+  - key: ikey
+    value: someikey
+  - key: skey
+    value: someskey
+  - key: host
+    value: somehost

files/etc.pam.d.sshd

@@ -0,0 +1,23 @@
+#%PAM-1.0
+auth       required     pam_sepermit.so
+auth       substack     password-auth
+auth       required     pam_env.so
+auth       sufficient   pam_duo.so
+auth       required     pam_deny.so
+auth       include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth      optional     pam_reauthorize.so prepare
+account    required     pam_nologin.so
+account    include      password-auth
+password   include      password-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      password-auth
+session    include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session   optional     pam_reauthorize.so prepare

files/etc.yum.repos.d.duosecurity

@@ -0,0 +1,6 @@
+## Managed by Ansible ##
+[duosecurity]
+name=Duo Security Repository
+baseurl=https://pkg.duosecurity.com/RedHat/"$releasever"Server/$basearch
+enabled=1
+gpgcheck=1

handlers/main.yml

@@ -0,0 +1,6 @@
+---
+# handlers file for auth_duo
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted

meta/main.yml

@@ -0,0 +1,45 @@
+galaxy_info:
+  author: Aaron Guise
+  description: Enable duo_unix - Multifactor Authentication for Linux
+  company: Ultrafast Fibre
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: MIT
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+   - name: RedHat
+     versions:
+       - 7
+galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+  

molecule/default/INSTALL.rst

@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule[docker]'

molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include auth_duo"
+      include_role:
+        name: "auth_duo"

molecule/default/molecule.yml

@@ -0,0 +1,17 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: instance
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/default/prepare.yml

@@ -0,0 +1,13 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: ensure openssh installed
+      yum:
+        name: openssh-server
+        state: installed
+    - name: ensure sshd is running
+      service:
+        name: sshd
+        state: started
+        enabled: true

molecule/default/verify.yml

@@ -0,0 +1,9 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  tasks:
+  - name: Example assertion
+    assert:
+      that: true

tasks/duo-repo.yml

@@ -0,0 +1,11 @@
+---
+- name: Ensure Duo GPG Key is installed
+  rpm_key:
+    key: https://duo.com/DUO-GPG-PUBLIC-KEY.asc
+    state: present
+
+- name: Ensure duo repository is present
+  copy:
+    src: etc.yum.repos.d.duosecurity
+    dest: /etc/yum.repos.d/duosecurity.repo
+    

tasks/main.yml

@@ -0,0 +1,44 @@
+---
+# tasks file for auth_duo
+- name: Include repository install
+  include_tasks: duo-repo.yml
+  when: auth_duo_install_repo
+
+- name: Ensure duo is installed
+  yum:
+    name: duo_unix
+    enablerepo: "{{ auth_duo_reponame }}"
+    state: installed
+
+# - name: Ensure ikey is populated
+#   fail:
+#     msg: "ikey should not be 'someikey' see defaults/main.yml"
+#   when: 
+- name: Ensure Duo configuration in place
+  ini_file: 
+    path: /etc/duo/pam_duo.conf
+    section: duo
+    option: "{{ item.key }}"
+    value: "{{ item.value }}"
+  with_items: "{{ auth_duo_settings }}"
+
+- name: Ensure PAM for SSH is configured with duo MFA
+  copy:
+    src: etc.pam.d.sshd
+    dest: /etc/pam.d/sshd
+  notify: restart sshd
+
+- name: Ensure PAM is enabled for SSH 
+  lineinfile: 
+    path: /etc/ssh/sshd_config
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+  with_items: 
+    - regex: '^UsePAM '
+      line: 'UsePAM yes'
+    - regex: '^ChallengeResponseAuthentication '
+      line: 'ChallengeResponseAuthentication yes'
+  notify: restart sshd
+
+- name: Flush Handlers
+  meta: flush_handlers

tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - auth_duo

vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for auth_duo

virtualbox.repo

@@ -0,0 +1,7 @@
+[virtualbox]
+name=Oracle Linux / RHEL / CentOS-$releasever / $basearch - VirtualBox
+baseurl=http://download.virtualbox.org/virtualbox/rpm/el/$releasever/$basearch
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://www.virtualbox.org/download/oracle_vbox.asc