cybercinch/ansible-role-auth-duo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 1 Wiki Activity

Compare commits

base: cybercinch:73b9c524749f3d1c7a42d74e1746f700b4268997
Branches Tags
cybercinch:master
cybercinch:v1.0.0
...
compare: cybercinch:master
Branches Tags
cybercinch:master
cybercinch:v1.0.0

3 Commits
73b9c52474 ... master

Author SHA1 Message Date
Aaron Guise
28467d2930 chore(ci): Updated notifications to use token
All checks were successful
CI / lint (push) Successful in 21s
Details
CI / Molecule Test (almalinux8) (push) Successful in 1m52s
Details
CI / Molecule Test (almalinux9) (push) Successful in 1m52s
Details
CI / release (push) Successful in 21s
Details
CI / notify (push) Successful in 4s
Details
2024-12-30 20:57:32 +13:00
Aaron Guise
e22ae689df fix: Updated with default configs from RHEL 9
Some checks failed
CI / lint (push) Successful in 1m50s
Details
CI / Molecule Test (almalinux8) (push) Successful in 2m54s
Details
CI / Molecule Test (almalinux9) (push) Successful in 2m32s
Details
CI / release (push) Successful in 35s
Details
CI / notify (push) Failing after 5s
Details
2024-12-30 08:25:51 +13:00
Aaron Guise
b668b705c3 fix: Duo-prompt on RHEL 8 and RHEL 9 2024-12-30 08:25:21 +13:00
8 changed files with 36 additions and 15 deletions
Expand all files Collapse all files

2
.github/workflows/ci.yml vendored
View File

@@ -101,6 +101,7 @@ jobs:
with: with:
url: '${{ vars.NTFY_URL }}' url: '${{ vars.NTFY_URL }}'
title: Workflow success - ansible-role-auth-duo title: Workflow success - ansible-role-auth-duo
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_TOKEN }}" }'
topic: 'ci-status' topic: 'ci-status'
priority: 4 priority: 4
tags: +1,partying_face,action,successfully,completed tags: +1,partying_face,action,successfully,completed
@@ -114,6 +115,7 @@ jobs:
with: with:
url: '${{ vars.NTFY_URL }}' url: '${{ vars.NTFY_URL }}'
title: Workflow failed - ansible-role-auth-duo title: Workflow failed - ansible-role-auth-duo
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_TOKEN }}" }'
topic: 'ci-status' topic: 'ci-status'
priority: 5 priority: 5
tags: -1,skull,action,failed tags: -1,skull,action,failed

9
files/etc.pam.d.sshd
View File

@@ -1,12 +1,10 @@
#%PAM-1.0 #%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth auth substack password-auth
auth required pam_env.so auth required pam_env.so
auth sufficient pam_duo.so auth sufficient pam_duo.so
auth required pam_deny.so auth required pam_deny.so
auth include postlogin auth include postlogin
# Used with polkit to reauthorize users in remote sessions account required pam_sepermit.so
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so account required pam_nologin.so
account include password-auth account include password-auth
password include password-auth password include password-auth
@@ -17,7 +15,6 @@ session required pam_loginuid.so
session required pam_selinux.so open env_params session required pam_selinux.so open env_params
session required pam_namespace.so session required pam_namespace.so
session optional pam_keyinit.so force revoke session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth session include password-auth
session include postlogin session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare

6
files/etc.yum.repos.d.duosecurity
View File

@@ -1,6 +0,0 @@
## Managed by Ansible ##
[duosecurity]
name=Duo Security Repository
baseurl=https://pkg.duosecurity.com/RedHat/"$releasever"Server/$basearch
enabled=1
gpgcheck=1

8
molecule/default/prepare.yml
View File

@@ -6,7 +6,7 @@
yum: yum:
name: > name: >
openssh-server, openssh-clients, openssh-server, openssh-clients,
sshpass, passwd sshpass, passwd, rsyslog
state: installed state: installed
- name: Ensure sshd is running - name: Ensure sshd is running
@@ -15,6 +15,12 @@
state: started state: started
enabled: true enabled: true
- name: Ensure rsyslog is running
service:
name: rsyslog
state: started
enabled: true
- name: Ensure nologin files are absent - name: Ensure nologin files are absent
file: file:
path: "{{ item }}" path: "{{ item }}"

4
molecule/default/verify.yml
View File

@@ -26,3 +26,7 @@
- name: Did duo prompt show? - name: Did duo prompt show?
assert: assert:
that: "'Duo two-factor login for' in slurpfile['content'] | b64decode" that: "'Duo two-factor login for' in slurpfile['content'] | b64decode"
# - name: Actual output
# debug:
# msg: "{{ slurpfile['content'] | b64decode }}"

10
molecule/fixed-mirror/prepare.yml
View File

@@ -6,7 +6,7 @@
yum: yum:
name: > name: >
openssh-server, openssh-clients, openssh-server, openssh-clients,
sshpass, passwd sshpass, passwd, rsyslog
state: installed state: installed
- name: Ensure sshd is running - name: Ensure sshd is running
@@ -14,7 +14,13 @@
name: sshd name: sshd
state: started state: started
enabled: true enabled: true
- name: Ensure rsyslog is running
service:
name: rsyslog
state: started
enabled: true
- name: Ensure nologin files are absent - name: Ensure nologin files are absent
file: file:
path: "{{ item }}" path: "{{ item }}"

4
molecule/fixed-mirror/verify.yml
View File

@@ -26,3 +26,7 @@
- name: Did duo prompt show? - name: Did duo prompt show?
assert: assert:
that: "'Duo two-factor login for' in slurpfile['content'] | b64decode" that: "'Duo two-factor login for' in slurpfile['content'] | b64decode"
# - name: Actual output
# debug:
# msg: "{{ slurpfile['content'] | b64decode }}"

8
tasks/main.yml
View File

@@ -42,6 +42,14 @@
line: 'ChallengeResponseAuthentication yes' line: 'ChallengeResponseAuthentication yes'
notify: Restart sshd notify: Restart sshd
- name: RHEL9 - Ensure ChallengeResponseAuthentication is enabled
lineinfile:
path: /etc/ssh/sshd_config.d/50-redhat.conf
regex: '^ChallengeResponseAuthentication '
line: 'ChallengeResponseAuthentication yes'
notify: Restart sshd
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 9
- name: Flush Handlers - name: Flush Handlers
meta: flush_handlers meta: flush_handlers