fix: Duo-prompt on RHEL 8 and RHEL 9

2024-12-30 08:25:21 +13:00
parent 73b9c52474
commit b668b705c3
6 changed files with 31 additions and 9 deletions
--- a/files/etc.yum.repos.d.duosecurity
+++ b/files/etc.yum.repos.d.duosecurity
@@ -1,6 +0,0 @@
-## Managed by Ansible ##
-[duosecurity]
-name=Duo Security Repository
-baseurl=https://pkg.duosecurity.com/RedHat/"$releasever"Server/$basearch
-enabled=1
-gpgcheck=1
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -6,7 +6,7 @@
      yum:
        name: >
          openssh-server, openssh-clients, 
-          sshpass, passwd
+          sshpass, passwd, rsyslog
        state: installed

    - name: Ensure sshd is running
@@ -15,6 +15,12 @@
        state: started
        enabled: true
        
+    - name: Ensure rsyslog is running
+      service:
+        name: rsyslog
+        state: started
+        enabled: true
+
    - name: Ensure nologin files are absent
      file: 
        path: "{{ item }}"
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -26,3 +26,7 @@
  - name: Did duo prompt show?
    assert:
      that: "'Duo two-factor login for' in slurpfile['content'] | b64decode"
+
+  # - name: Actual output
+  #   debug: 
+  #     msg: "{{ slurpfile['content'] | b64decode }}"
--- a/molecule/fixed-mirror/prepare.yml
+++ b/molecule/fixed-mirror/prepare.yml
@@ -6,7 +6,7 @@
      yum:
        name: >
          openssh-server, openssh-clients, 
-          sshpass, passwd
+          sshpass, passwd, rsyslog
        state: installed

    - name: Ensure sshd is running
@@ -14,7 +14,13 @@
        name: sshd
        state: started
        enabled: true
-        
+
+    - name: Ensure rsyslog is running
+      service:
+        name: rsyslog
+        state: started
+        enabled: true
+
    - name: Ensure nologin files are absent
      file: 
        path: "{{ item }}"
--- a/molecule/fixed-mirror/verify.yml
+++ b/molecule/fixed-mirror/verify.yml
@@ -26,3 +26,7 @@
  - name: Did duo prompt show?
    assert:
      that: "'Duo two-factor login for' in slurpfile['content'] | b64decode"
+
+  # - name: Actual output
+  #   debug: 
+  #     msg: "{{ slurpfile['content'] | b64decode }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -42,6 +42,14 @@
      line: 'ChallengeResponseAuthentication yes'
  notify: Restart sshd

+- name: RHEL9 - Ensure ChallengeResponseAuthentication is enabled
+  lineinfile:
+    path: /etc/ssh/sshd_config.d/50-redhat.conf
+    regex: '^ChallengeResponseAuthentication '
+    line: 'ChallengeResponseAuthentication yes'
+  notify: Restart sshd
+  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 9
+
 - name: Flush Handlers
  meta: flush_handlers