Forge Home

duo_unix

Installs, configures, and manages Duo Unix

17,023 downloads

658 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 4.2.4 (latest)
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2.0
  • 4.1.0
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0.0
  • 3.0.1
  • 3.0.0
  • 2.1.1
  • 2.1.0
  • 2.0.0
  • 1.0.11
  • 1.0.10
  • 1.0.9
  • 1.0.8
  • 1.0.7
  • 1.0.6
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 0.1.0
released Jul 15th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'iu-duo_unix', '4.2.4'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add iu-duo_unix
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install iu-duo_unix --version 4.2.4

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

iu/duo_unix — version 4.2.4 Jul 15th 2024

duo_unix

Travis (.org)

The duo_unix module handles the deployment of duo_unix (login_duo or pam_duo) across a range of Linux distributions. The module will handle repository dependencies, installation of the duo_unix package, configuration of OpenSSH, and PAM alterations as needed.

For further information about duo_unix, view the official documentation.

Table of Contents

  1. Description
  2. Setup - The basics of getting started with duo_unix
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Contributing

Description

The duo_unix Puppet module installs and manages duo_unix (login_duo or pam_duo).

This module is meant to be a drop-in replacement for the abandoned official puppet module.

Setup

What duo_unix affects

This module will add the official Duo Inc. repository. It will also then install the appropriate package(s) for your system.

It will also optionally alter some files on your system to help ensure that user login attempts will correctly require Duo to succeed.

If usage is set to login, it will set the following directives in /etc/ssh/sshd_config

ForceCommand       /usr/sbin/login_duo
PermitTunnel       no
AllowTcpForwarding no

If usage is set to pam, it will alter your pam config. Those changes are distribution-specific. To see exactly what is changed, please refer to the manifests/pam_config.pp file.

If accept_env_factor is set to yes, it will configure your sshd_config to allow DUO_PASSCODE as an AcceptEnv value to enable out-of-band 2FA in the shell for use cases such as scp. This feature is only possible if usage is set to login.

Setup Requirements

This module requires some additional modules, but it is highly likely that they are already installed on your puppet server. They are as follows:

  • puppetlabs/apt 6.0 - 9.0
  • puppetlabs/augeas_core 1.0.0 - 2.0.0
  • puppetlabs/stdlib 5.0.0 - 10.0.0
  • puppetlabs/yumrepo_core 1.0.0 - 2.0.0

Beginning with duo_unix

The very basic steps needed for a user to get the module up and running. This can include setup steps, if necessary, or it can be an example of the most basic use of the module.

Usage

class { 'duo_unix':
  usage             => 'login',
  ikey              => 'your integration key',
  skey              => 'your secret key',
  host              => 'api-yourhost.duosecurity.com',
  motd              => 'yes',
  accept_env_factor => 'no',
  duo_rsyslog       => false, 
}

Notes

  • accept_env_factor is set to 'no' by default, but when set to 'yes', enables DUO_PASSCODE as desribed above for out-of-band 2FA
  • duo_rsyslog is set to false by default, but when set to true, enables sending duo auth messages to the OS-default auth log (this is also very helpful for simplifying fail2ban config if also used)

Limitations

In the past the official Duo module supported various RedHat derivatives. This module currently only makes minor attempts to support them.

Contributing

Pull requests are welcome, but all code must meet the following requirements

  • Is fully tested
    • Note: Unit testing uses the rspec-puppet-augeas Ruby gem, which requires the following local packages (at least in Debian-based environments) to be installed: ruby-augeas augeas-tools augeas-lenses libaugeas-dev
  • All tests must pass
  • Follows the Puppet language style guide
  • All commits must be signed