fix: Updated with default configs from RHEL 9

.gitignore

@@ -0,0 +1,6 @@
+.venv
+.vagrant
+
+# ACT variable files should never be committed.
+.secrets
+.vars

files/etc.pam.d.sshd

@@ -1,12 +1,10 @@
 #%PAM-1.0
-auth       required     pam_sepermit.so
 auth       substack     password-auth
 auth       required     pam_env.so
 auth       sufficient   pam_duo.so
 auth       required     pam_deny.so
 auth       include      postlogin
-# Used with polkit to reauthorize users in remote sessions
+account    required     pam_sepermit.so
--auth      optional     pam_reauthorize.so prepare
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth
@@ -17,7 +15,6 @@ session    required     pam_loginuid.so
 session    required     pam_selinux.so open env_params
 session    required     pam_namespace.so
 session    optional     pam_keyinit.so force revoke
+session    optional     pam_motd.so
 session    include      password-auth
-session    include      postlogin
+session    include      postlogin
-# Used with polkit to reauthorize users in remote sessions
--session   optional     pam_reauthorize.so prepare

files/etc.yum.repos.d.duosecurity

@@ -1,6 +0,0 @@
-## Managed by Ansible ##
-[duosecurity]
-name=Duo Security Repository
-baseurl=https://pkg.duosecurity.com/RedHat/"$releasever"Server/$basearch
-enabled=1
-gpgcheck=1

molecule/default/prepare.yml

@@ -6,7 +6,7 @@
       yum:
         name: >
           openssh-server, openssh-clients, 
-          sshpass, passwd
+          sshpass, passwd, rsyslog
         state: installed
 
     - name: Ensure sshd is running
@@ -15,6 +15,12 @@
         state: started
         enabled: true
         
+    - name: Ensure rsyslog is running
+      service:
+        name: rsyslog
+        state: started
+        enabled: true
+
     - name: Ensure nologin files are absent
       file: 
         path: "{{ item }}"

molecule/default/verify.yml

@@ -26,3 +26,7 @@
   - name: Did duo prompt show?
     assert:
       that: "'Duo two-factor login for' in slurpfile['content'] | b64decode"
+
+  # - name: Actual output
+  #   debug: 
+  #     msg: "{{ slurpfile['content'] | b64decode }}"

molecule/fixed-mirror/prepare.yml

@@ -6,7 +6,7 @@
       yum:
         name: >
           openssh-server, openssh-clients, 
-          sshpass, passwd
+          sshpass, passwd, rsyslog
         state: installed
 
     - name: Ensure sshd is running
@@ -14,7 +14,13 @@
         name: sshd
         state: started
         enabled: true
-        
+
+    - name: Ensure rsyslog is running
+      service:
+        name: rsyslog
+        state: started
+        enabled: true
+
     - name: Ensure nologin files are absent
       file: 
         path: "{{ item }}"

molecule/fixed-mirror/verify.yml

@@ -26,3 +26,7 @@
   - name: Did duo prompt show?
     assert:
       that: "'Duo two-factor login for' in slurpfile['content'] | b64decode"
+
+  # - name: Actual output
+  #   debug: 
+  #     msg: "{{ slurpfile['content'] | b64decode }}"

tasks/duo-repo.yml

@@ -3,6 +3,7 @@
   copy:
     dest: /tmp/DUO-GPG-PUBLIC-KEY.asc
     src:  DUO-GPG-PUBLIC-KEY.asc
+  changed_when: false
 
 - name: Ensure Duo GPG Key is installed
   rpm_key:
@@ -13,6 +14,7 @@
   file:
     path: /tmp/DUO-GPG-PUBLIC-KEY.asc
     state: absent
+  changed_when: false
     
 - name: Ensure duo repository is present
   template:

tasks/main.yml

@@ -42,6 +42,14 @@
       line: 'ChallengeResponseAuthentication yes'
   notify: Restart sshd
 
+- name: RHEL9 - Ensure ChallengeResponseAuthentication is enabled
+  lineinfile:
+    path: /etc/ssh/sshd_config.d/50-redhat.conf
+    regex: '^ChallengeResponseAuthentication '
+    line: 'ChallengeResponseAuthentication yes'
+  notify: Restart sshd
+  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 9
+
 - name: Flush Handlers
   meta: flush_handlers