saltstack-formulas/users-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #60 from maytechnet/feature/googleauth

Browse Source 
google authentication pam module support
This commit is contained in:
Forrest 2015-01-15 09:00:18 -08:00
commit e39a9537ba
4 changed files with 74 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pillar.example
View File

@ -28,6 +28,18 @@ users:
- PUBLICKEY - PUBLICKEY
ssh_auth.absent: ssh_auth.absent:
- PUBLICKEY_TO_BE_REMOVED - PUBLICKEY_TO_BE_REMOVED
google_auth:
ssh: |
SOMEGAUTHHASHVAL
" RESETTING_TIME_SKEW 46956472+2 46991595-2
" RATE_LIMIT 3 30 1415800560
" DISALLOW_REUSE 47193352
" TOTP_AUTH
11111111
22222222
33333333
44444444
55555555
## Absent user ## Absent user
cuser: cuser:

15
users/googleauth.sls Normal file
View File

@ -0,0 +1,15 @@
# vim: sts=2 ts=2 sw=2 et ai
{% from "users/map.jinja" import users with context %}
googleauth-package:
pkg.installed:
- name: {{ users.googleauth_package }}
- require:
- file: {{ users.googleauth_dir }}
{{ users.googleauth_dir }}:
file:
- directory
- user: root
- group: {{ users.root_group }}
- mode: 600

45
users/init.sls
View File

@ -1,6 +1,29 @@
# vim: sts=2 ts=2 sw=2 et ai # vim: sts=2 ts=2 sw=2 et ai
{% from "users/map.jinja" import users with context %} {% from "users/map.jinja" import users with context %}
{% set used_sudo = False %} {% set used_sudo = [] %}
{% set used_googleauth = [] %}
{%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
{%- if user == None -%}
{%- set user = {} -%}
{%- endif -%}
{%- if 'sudouser' in user and user['sudouser'] %}
{%- do used_sudo.append(1) %}
{%- endif %}
{%- if 'google_auth' in user %}
{%- do used_googleauth.append(1) %}
{%- endif %}
{%- endfor %}
{%- if used_sudo or used_googleauth %}
include:
{%- if used_sudo %}
- users.sudo
{%- endif %}
{%- if used_googleauth %}
- users.googleauth
{%- endif %}
{%- endif %}
{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
{%- if user == None -%} {%- if user == None -%}
@ -145,11 +168,6 @@ ssh_auth_delete_{{ name }}_{{ loop.index0 }}:
{% endif %} {% endif %}
{% if 'sudouser' in user and user['sudouser'] %} {% if 'sudouser' in user and user['sudouser'] %}
{% if not used_sudo %}
{% set used_sudo = True %}
include:
- users.sudo
{% endif %}
sudoer-{{ name }}: sudoer-{{ name }}:
file.managed: file.managed:
@ -187,6 +205,21 @@ sudoer-{{ name }}:
- name: {{ users.sudoers_dir }}/{{ name }} - name: {{ users.sudoers_dir }}/{{ name }}
{% endif %} {% endif %}
{%- if 'google_auth' in user %}
{%- for svc in user['google_auth'] %}
googleauth-{{ svc }}-{{ name }}:
file.managed:
- replace: false
- name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }}
- contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}'
- user: root
- group: {{ users.root_group }}
- mode: 600
- require:
- pkg: googleauth-package
{%- endfor %}
{%- endif %}
{% endfor %} {% endfor %}
{% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %} {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %}

8
users/map.jinja
View File

@ -3,37 +3,45 @@
'Debian': { 'Debian': {
'sudoers_dir': '/etc/sudoers.d', 'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers', 'sudoers_file': '/etc/sudoers',
'googleauth_dir': '/etc/google_authenticator.d',
'root_group': 'root', 'root_group': 'root',
'shell': '/bin/bash', 'shell': '/bin/bash',
'visudo_shell': '/bin/bash', 'visudo_shell': '/bin/bash',
'bash_package': 'bash', 'bash_package': 'bash',
'sudo_package': 'sudo', 'sudo_package': 'sudo',
'googleauth_package': 'libpam-google-authenticator',
}, },
'Gentoo': { 'Gentoo': {
'sudoers_dir': '/etc/sudoers.d', 'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers', 'sudoers_file': '/etc/sudoers',
'googleauth_dir': '/etc/google_authenticator.d',
'root_group': 'root', 'root_group': 'root',
'shell': '/bin/bash', 'shell': '/bin/bash',
'visudo_shell': '/bin/bash', 'visudo_shell': '/bin/bash',
'bash_package': 'app-shells/bash', 'bash_package': 'app-shells/bash',
'sudo_package': 'app-admin/sudo', 'sudo_package': 'app-admin/sudo',
'googleauth_package': 'libpam-google-authenticator',
}, },
'FreeBSD': { 'FreeBSD': {
'sudoers_dir': '/usr/local/etc/sudoers.d', 'sudoers_dir': '/usr/local/etc/sudoers.d',
'sudoers_file': '/usr/local/etc/sudoers', 'sudoers_file': '/usr/local/etc/sudoers',
'googleauth_dir': '/usr/local/etc/google_authenticator.d',
'root_group': 'wheel', 'root_group': 'wheel',
'shell': '/bin/csh', 'shell': '/bin/csh',
'visudo_shell': '/usr/local/bin/bash', 'visudo_shell': '/usr/local/bin/bash',
'bash_package': 'bash', 'bash_package': 'bash',
'sudo_package': 'sudo', 'sudo_package': 'sudo',
'googleauth_package': 'pam_google_authenticator',
}, },
'default': { 'default': {
'sudoers_dir': '/etc/sudoers.d', 'sudoers_dir': '/etc/sudoers.d',
'sudoers_file': '/etc/sudoers', 'sudoers_file': '/etc/sudoers',
'googleauth_dir': '/etc/google_authenticator.d',
'root_group': 'root', 'root_group': 'root',
'shell': '/bin/bash', 'shell': '/bin/bash',
'visudo_shell': '/bin/bash', 'visudo_shell': '/bin/bash',
'bash_package': 'bash', 'bash_package': 'bash',
'sudo_package': 'sudo', 'sudo_package': 'sudo',
'googleauth_package': 'libpam-google-authenticator',
}, },
}, merge=salt['pillar.get']('users:lookup')) %} }, merge=salt['pillar.get']('users:lookup')) %}