From 2205bce19beea17601c603779886bf91abecbdc9 Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Mon, 13 Jun 2022 10:53:14 +0200 Subject: [PATCH 1/7] fix(googleauth): proper 0600 permissions on secret --- users/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/init.sls b/users/init.sls index 60ba195..e6727b4 100644 --- a/users/init.sls +++ b/users/init.sls @@ -516,7 +516,7 @@ users_googleauth-{{ svc }}-{{ name }}: - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}' - user: root - group: {{ users.root_group }} - - mode: '0400' + - mode: '0600' - require: - pkg: users_googleauth-package {%- endfor %} From 2a3b67647f3e8d10a19e0888a300e4c73ee0bafd Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Mon, 13 Jun 2022 11:32:34 +0200 Subject: [PATCH 2/7] fix(googleauth): proper 0700 permissions on secrets directory --- users/googleauth.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/googleauth.sls b/users/googleauth.sls index 03366e2..f78ba1e 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -13,7 +13,7 @@ users_{{ users.googleauth_dir }}: - name: {{ users.googleauth_dir }} - user: root - group: {{ users.root_group }} - - mode: '0600' + - mode: '0700' {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {%- if 'google_auth' in user %} From 1dcd7d5746147ae212b85efc262972da0ba504ba Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Mon, 13 Jun 2022 11:04:14 +0200 Subject: [PATCH 3/7] refactor(googleauth): pam handling --- users/googleauth.sls | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/users/googleauth.sls b/users/googleauth.sls index f78ba1e..e03fbe5 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -19,7 +19,7 @@ users_{{ users.googleauth_dir }}: {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} {%- if user.get('google_2fa', True) %} -{%- set repl = '{0} {1} {2} {3} {4}{5}/{6}_{7} {8}\\n{9}'.format( +{%- set repl = '{0} {1} {2} {3} {4}{5}/{6}_{7} {8}'.format( 'auth', '[success=done new_authtok_reqd=done default=die]', 'pam_google_authenticator.so', @@ -29,13 +29,12 @@ users_{{ users.googleauth_dir }}: '${USER}', svc, 'echo_verification_code', - '@include common-auth', ) %} users_googleauth-pam-{{ svc }}-{{ name }}: file.replace: - name: /etc/pam.d/{{ svc }} - - pattern: "^@include common-auth" - - repl: "{{ repl }}" + - pattern: '^(@include[ \t]*common-auth)' + - repl: '{{ repl }}\n\1' - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }} - backup: .bak {%- endif %} From be3dd4fbf612223ac3183e0e8d946ba142b5c00b Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Tue, 14 Jun 2022 09:54:18 +0200 Subject: [PATCH 4/7] feat(googleauth): rhel family support --- users/googleauth.sls | 34 +++++++++++++++++++++++++++++++++- users/init.sls | 8 +++++++- users/map.jinja | 13 +++++++++++++ 3 files changed, 53 insertions(+), 2 deletions(-) diff --git a/users/googleauth.sls b/users/googleauth.sls index e03fbe5..88a1766 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -1,7 +1,7 @@ # vim: sts=2 ts=2 sw=2 et ai {%- from "users/map.jinja" import users with context %} -{%- if not grains['os_family'] in ['RedHat', 'Suse'] %} +{%- if not grains['os_family'] in ['Suse'] %} users_googleauth-package: pkg.installed: - name: {{ users.googleauth_package }} @@ -15,6 +15,27 @@ users_{{ users.googleauth_dir }}: - group: {{ users.root_group }} - mode: '0700' +{%- if grains['os_family'] == 'RedHat' %} +policycoreutils-package: + pkg.installed: + - pkgs: + - policycoreutils +{%- if grains['osmajorrelease']|int <= 7 %} + - policycoreutils-python +{%- else %} + - policycoreutils-python-utils +{%- endif %} +users_googleauth_selinux_present: + selinux.fcontext_policy_present: + - name: "{{ users.googleauth_dir }}(/.*)?" + - filetype: 'a' + - sel_user: unconfined_u + - sel_type: ssh_home_t + - sel_level: s0 + - require: + - pkg: policycoreutils-package +{%- endif %} + {%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} @@ -33,7 +54,11 @@ users_{{ users.googleauth_dir }}: users_googleauth-pam-{{ svc }}-{{ name }}: file.replace: - name: /etc/pam.d/{{ svc }} +{%- if grains['os_family'] == 'RedHat' %} + - pattern: '^(auth[ \t]*substack[ \t]*password-auth)' +{%- else %} - pattern: '^(@include[ \t]*common-auth)' +{%- endif %} - repl: '{{ repl }}\n\1' - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }} - backup: .bak @@ -41,4 +66,11 @@ users_googleauth-pam-{{ svc }}-{{ name }}: {%- endfor %} {%- endif %} {%- endfor %} + +{%- if grains['os_family'] == 'RedHat' %} +users_googleauth_selinux_applied: + selinux.fcontext_policy_applied: + - name: {{ users.googleauth_dir }} +{%- endif %} + {%- endif %} diff --git a/users/init.sls b/users/init.sls index e6727b4..78f7ec3 100644 --- a/users/init.sls +++ b/users/init.sls @@ -50,6 +50,9 @@ include: - users.sudo {%- endif %} {%- if used_googleauth %} +{%- if grains['os_family'] == 'RedHat' %} + - epel +{%- endif %} - users.googleauth {%- endif %} {%- if used_user_files %} @@ -506,7 +509,7 @@ users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}: - name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }} {% endif %} -{%- if not grains['os_family'] in ['RedHat', 'Suse'] %} +{%- if not grains['os_family'] in ['Suse'] %} {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} users_googleauth-{{ svc }}-{{ name }}: @@ -518,6 +521,9 @@ users_googleauth-{{ svc }}-{{ name }}: - group: {{ users.root_group }} - mode: '0600' - require: +{%- if grains['os_family'] == 'RedHat' %} + - pkg: epel_release +{%- endif %} - pkg: users_googleauth-package {%- endfor %} {%- endif %} diff --git a/users/map.jinja b/users/map.jinja index f1c0772..d7123b0 100644 --- a/users/map.jinja +++ b/users/map.jinja @@ -30,6 +30,19 @@ 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', 'polkit_defaults': 'unix-group:sudo;' }, + 'RedHat': { + 'sudoers_dir': '/etc/sudoers.d', + 'sudoers_file': '/etc/sudoers', + 'googleauth_dir': '/etc/google_authenticator.d', + 'root_group': 'root', + 'shell': '/bin/bash', + 'visudo_shell': '/bin/bash', + 'bash_package': 'bash', + 'sudo_package': 'sudo', + 'googleauth_package': 'google-authenticator', + 'polkit_dir': '/etc/polkit-1/localauthority.conf.d', + 'polkit_defaults': 'unix-group:sudo;' + }, 'Gentoo': { 'sudoers_dir': '/etc/sudoers.d', 'sudoers_file': '/etc/sudoers', From 3fe875040d70e119b3df9d9d3cce9fc2403f9c7e Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Tue, 14 Jun 2022 10:40:47 +0200 Subject: [PATCH 5/7] fix(googleauth): make sure sshd allows KbdInteractiveAuthentication --- users/googleauth.sls | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/users/googleauth.sls b/users/googleauth.sls index 88a1766..d7baae8 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -73,4 +73,15 @@ users_googleauth_selinux_applied: - name: {{ users.googleauth_dir }} {%- endif %} +sshd: + service.running: + - watch: + - file: /etc/ssh/sshd_config + +sshd_config: + file.replace: + - name: /etc/ssh/sshd_config + - pattern: '^(ChallengeResponseAuthentication|KbdInteractiveAuthentication).*' + - repl: '\1 yes' + {%- endif %} From 63dd7c88be6f51eda3b247155d4f926b2b64c843 Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Tue, 14 Jun 2022 14:22:39 +0200 Subject: [PATCH 6/7] fix(googleauth): handle disabled selinux --- users/googleauth.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/users/googleauth.sls b/users/googleauth.sls index d7baae8..e22da4d 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -15,7 +15,7 @@ users_{{ users.googleauth_dir }}: - group: {{ users.root_group }} - mode: '0700' -{%- if grains['os_family'] == 'RedHat' %} +{%- if grains['os_family'] == 'RedHat' and "selinux" in grains and grains.selinux.enabled %} policycoreutils-package: pkg.installed: - pkgs: @@ -67,7 +67,7 @@ users_googleauth-pam-{{ svc }}-{{ name }}: {%- endif %} {%- endfor %} -{%- if grains['os_family'] == 'RedHat' %} +{%- if grains['os_family'] == 'RedHat' and "selinux" in grains and grains.selinux.enabled %} users_googleauth_selinux_applied: selinux.fcontext_policy_applied: - name: {{ users.googleauth_dir }} From a641d21b1528af3e0cce56ff06803ea1509d9d49 Mon Sep 17 00:00:00 2001 From: Pascal de Bruijn Date: Tue, 14 Jun 2022 14:30:25 +0200 Subject: [PATCH 7/7] ci(kitchen): workaround epel dependancy --- users/googleauth.sls | 14 ++++++++++++++ users/init.sls | 6 ------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/users/googleauth.sls b/users/googleauth.sls index e22da4d..268cd7b 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -2,6 +2,20 @@ {%- from "users/map.jinja" import users with context %} {%- if not grains['os_family'] in ['Suse'] %} +{%- if salt['grains.get']('osfinger', '') in ['Amazon Linux-2'] %} +users_epel_repo: + pkgrepo.managed: + - name: epel + - humanname: Extra Packages for Enterprise Linux 7 - $basearch + - mirrorlist: https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch + - enabled: 1 + - gpgcheck: 1 + - gpgkey: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 + - failovermethod: priority + - require_in: + - pkg: users_googleauth-package +{%- endif %} + users_googleauth-package: pkg.installed: - name: {{ users.googleauth_package }} diff --git a/users/init.sls b/users/init.sls index 78f7ec3..6fcb156 100644 --- a/users/init.sls +++ b/users/init.sls @@ -50,9 +50,6 @@ include: - users.sudo {%- endif %} {%- if used_googleauth %} -{%- if grains['os_family'] == 'RedHat' %} - - epel -{%- endif %} - users.googleauth {%- endif %} {%- if used_user_files %} @@ -521,9 +518,6 @@ users_googleauth-{{ svc }}-{{ name }}: - group: {{ users.root_group }} - mode: '0600' - require: -{%- if grains['os_family'] == 'RedHat' %} - - pkg: epel_release -{%- endif %} - pkg: users_googleauth-package {%- endfor %} {%- endif %}