Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3768555
D1338.id3433.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D1338.id3433.diff
View Options
diff --git a/roles/bastion/pam/files/sshd-otp-freebsd b/roles/bastion/pam/files/sshd-otp-freebsd
new file mode 100644
--- /dev/null
+++ b/roles/bastion/pam/files/sshd-otp-freebsd
@@ -0,0 +1,41 @@
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-02-20
+# License: Trivial work, not eligible to copyright
+# Forked from: FreeBSD: releng/11.1/etc/pam.d/sshd
+# 197769 2009-10-05 09:28:54Z des
+# Source file: roles/bastion/pam/files/sshd-otp-freebsd
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# auth
+# TODO: when Vault is installed, add key too here through a Vault pillar.
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth sufficient /usr/local/lib/security/pam_yubico.so no_warn try_first_pass id=36698
+#auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+auth sufficient pam_deny.so
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_login_access.so
+account required pam_unix.so
+
+# session
+#session optional pam_ssh.so want_agent
+session required pam_permit.so
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
diff --git a/roles/bastion/pam/init.sls b/roles/bastion/pam/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/bastion/pam/init.sls
@@ -0,0 +1,21 @@
+# -------------------------------------------------------------
+# Salt — Bastion
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: This role allows to login through alternative
+# ways, like traditional keys or with an OTP.
+# Created: 2018-02-20
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# FreeBSD
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if grains['os'] == 'FreeBSD' %}
+
+/etc/pam.d/sshd-otp:
+ file.managed:
+ - source: salt://roles/bastion/pam/files/sshd-otp-freebsd
+
+{% endif %}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sun, Nov 24, 08:42 (8 h, 51 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259866
Default Alt Text
D1338.id3433.diff (2 KB)
Attached To
Mode
D1338: Configure sshd-otp for FreeBSD bastion
Attached
Detach File
Event Timeline
Log In to Comment