11# vim: sts=2 ts=2 sw=2 et ai
22{%- from " users/map.jinja" import users with context % }
33
4- {%- if not grains[' os_family' in [' RedHat' ' Suse' % }
4+ {%- if not grains[' os_family' in [' Suse' % }
5+ {%- if salt[' grains.get' ' osfinger' ' ' in [' Amazon Linux-2' % }
6+ users_epel_repo:
7+ pkgrepo.managed:
8+ - name: epel
9+ - humanname: Extra Packages for Enterprise Linux 7 - $ basearch
10+ - mirrorlist: https:// mirrors.fedoraproject.org/ metalink? repo=epel- 7 & arch=$ basearch
11+ - enabled: 1
12+ - gpgcheck: 1
13+ - gpgkey: https:// dl.fedoraproject.org/ pub/ epel/ RPM - GPG - KEY - EPEL - 7
14+ - failovermethod: priority
15+ - require_in:
16+ - pkg: users_googleauth- package
17+ {%- endif % }
18+
519users_googleauth- package:
620 pkg.installed:
721 - name: {{ users.googleauth_package }}
@@ -13,13 +27,34 @@ users_{{ users.googleauth_dir }}:
1327 - name: {{ users.googleauth_dir }}
1428 - user: root
1529 - group: {{ users.root_group }}
16- - mode: ' 0600'
30+ - mode: ' 0700'
31+
32+ {%- if grains[' os_family' == ' RedHat' and " selinux" in grains and grains.selinux.enabled % }
33+ policycoreutils- package:
34+ pkg.installed:
35+ - pkgs:
36+ - policycoreutils
37+ {%- if grains[' osmajorrelease' | int <= 7 % }
38+ - policycoreutils- python
39+ {%- else % }
40+ - policycoreutils- python- utils
41+ {%- endif % }
42+ users_googleauth_selinux_present:
43+ selinux.fcontext_policy_present:
44+ - name: " {{ users.googleauth_dir }} (/.*)?"
45+ - filetype: ' a'
46+ - sel_user: unconfined_u
47+ - sel_type: ssh_home_t
48+ - sel_level: s0
49+ - require:
50+ - pkg: policycoreutils- package
51+ {%- endif % }
1752
1853{%- for name, user in pillar.get(' users' if user.absent is not defined or not user.absent % }
1954{%- if ' google_auth' in user % }
2055{%- for svc in user[' google_auth' % }
2156{%- if user.get(' google_2fa' True ) % }
22- {%- set repl = ' {0} {1} {2} {3} {4}{5} /{6} _{7} {8} \\ n {9} '
57+ {%- set repl = ' {0} {1} {2} {3} {4}{5} /{6} _{7} {8} '
2358 ' auth'
2459 ' [success=done new_authtok_reqd=done default=die]'
2560 ' pam_google_authenticator.so'
@@ -29,17 +64,38 @@ users_{{ users.googleauth_dir }}:
2964 ' ${USER} '
3065 svc,
3166 ' echo_verification_code'
32- ' @include common-auth'
3367 ) % }
3468users_googleauth- pam- {{ svc }}- {{ name }}:
3569 file .replace:
3670 - name: / etc/ pam.d/ {{ svc }}
37- - pattern: " ^@include common-auth"
38- - repl: " {{ repl }} "
71+ {%- if grains[' os_family' == ' RedHat' % }
72+ - pattern: ' ^(auth[ \t ]*substack[ \t ]*password-auth)'
73+ {%- else % }
74+ - pattern: ' ^(@include[ \t ]*common-auth)'
75+ {%- endif % }
76+ - repl: ' {{ repl }} \n\1 '
3977 - unless: grep pam_google_authenticator.so / etc/ pam.d/ {{ svc }}
4078 - backup: .bak
4179{%- endif % }
4280{%- endfor % }
4381{%- endif % }
4482{%- endfor % }
83+
84+ {%- if grains[' os_family' == ' RedHat' and " selinux" in grains and grains.selinux.enabled % }
85+ users_googleauth_selinux_applied:
86+ selinux.fcontext_policy_applied:
87+ - name: {{ users.googleauth_dir }}
88+ {%- endif % }
89+
90+ sshd:
91+ service.running:
92+ - watch:
93+ - file : / etc/ ssh/ sshd_config
94+
95+ sshd_config:
96+ file .replace:
97+ - name: / etc/ ssh/ sshd_config
98+ - pattern: ' ^(ChallengeResponseAuthentication|KbdInteractiveAuthentication).*'
99+ - repl: ' \1 yes'
100+
45101{%- endif % }
0 commit comments