From b668b705c3f747e63e1c814c0f792f4ee5c337a5 Mon Sep 17 00:00:00 2001 From: Aaron Guise Date: Mon, 30 Dec 2024 08:25:21 +1300 Subject: [PATCH] fix: Duo-prompt on RHEL 8 and RHEL 9 --- files/etc.yum.repos.d.duosecurity | 6 ------ molecule/default/prepare.yml | 8 +++++++- molecule/default/verify.yml | 4 ++++ molecule/fixed-mirror/prepare.yml | 10 ++++++++-- molecule/fixed-mirror/verify.yml | 4 ++++ tasks/main.yml | 8 ++++++++ 6 files changed, 31 insertions(+), 9 deletions(-) delete mode 100644 files/etc.yum.repos.d.duosecurity diff --git a/files/etc.yum.repos.d.duosecurity b/files/etc.yum.repos.d.duosecurity deleted file mode 100644 index e9c6d4c..0000000 --- a/files/etc.yum.repos.d.duosecurity +++ /dev/null @@ -1,6 +0,0 @@ -## Managed by Ansible ## -[duosecurity] -name=Duo Security Repository -baseurl=https://pkg.duosecurity.com/RedHat/"$releasever"Server/$basearch -enabled=1 -gpgcheck=1 \ No newline at end of file diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 041c640..71c04b1 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -6,7 +6,7 @@ yum: name: > openssh-server, openssh-clients, - sshpass, passwd + sshpass, passwd, rsyslog state: installed - name: Ensure sshd is running @@ -15,6 +15,12 @@ state: started enabled: true + - name: Ensure rsyslog is running + service: + name: rsyslog + state: started + enabled: true + - name: Ensure nologin files are absent file: path: "{{ item }}" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 17d3baf..437f696 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -26,3 +26,7 @@ - name: Did duo prompt show? assert: that: "'Duo two-factor login for' in slurpfile['content'] | b64decode" + + # - name: Actual output + # debug: + # msg: "{{ slurpfile['content'] | b64decode }}" \ No newline at end of file diff --git a/molecule/fixed-mirror/prepare.yml b/molecule/fixed-mirror/prepare.yml index 041c640..8291114 100644 --- a/molecule/fixed-mirror/prepare.yml +++ b/molecule/fixed-mirror/prepare.yml @@ -6,7 +6,7 @@ yum: name: > openssh-server, openssh-clients, - sshpass, passwd + sshpass, passwd, rsyslog state: installed - name: Ensure sshd is running @@ -14,7 +14,13 @@ name: sshd state: started enabled: true - + + - name: Ensure rsyslog is running + service: + name: rsyslog + state: started + enabled: true + - name: Ensure nologin files are absent file: path: "{{ item }}" diff --git a/molecule/fixed-mirror/verify.yml b/molecule/fixed-mirror/verify.yml index 17d3baf..e3dee16 100644 --- a/molecule/fixed-mirror/verify.yml +++ b/molecule/fixed-mirror/verify.yml @@ -26,3 +26,7 @@ - name: Did duo prompt show? assert: that: "'Duo two-factor login for' in slurpfile['content'] | b64decode" + + # - name: Actual output + # debug: + # msg: "{{ slurpfile['content'] | b64decode }}" diff --git a/tasks/main.yml b/tasks/main.yml index 0ec96d3..84fb909 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,14 @@ line: 'ChallengeResponseAuthentication yes' notify: Restart sshd +- name: RHEL9 - Ensure ChallengeResponseAuthentication is enabled + lineinfile: + path: /etc/ssh/sshd_config.d/50-redhat.conf + regex: '^ChallengeResponseAuthentication ' + line: 'ChallengeResponseAuthentication yes' + notify: Restart sshd + when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 9 + - name: Flush Handlers meta: flush_handlers