Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-oath', '0.6.0'Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Description
By default, this module will only install oathtool, a command line utility
for generating one-time passwords.
Optionally, this module will install the pam_oath and liboath packages from
EPEL and configure them. In this case, this module will manage the
configuration for these packages, including users, keys and exclusions.
See REFERENCE.md for more details.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please review
the parameters in
simp/simp_optionsfor details.
Setup
What oath affects
If configured to install pam_oath, will install the following packages
pam_oathWill add/usr/lib64/security/pam_oath.soliboathpam(A dependency ofpam_oath)
Will manage files in /etc/liboath
WARNING: While this module will not edit the PAM stack, it will manage the
users and keys required for pam_oath.so module functionality. If the PAM
stack is modified to utilize this module, only users in
/etc/liboath/users.oath or those who fall under an exclude will be able to
authenticate.
Beginning with oath
include 'oath'
Usage
include 'oath'
For anything other than a simple installation of oathtool, either
simp_options::oath needs to be set to true or oath::pam_oath needs to be
overridden to true. simp_options::oath is a global catalyst indicating to
other simp modules (pupmod-simp-ssh and pupmod-simp-pam) that they should add
pam_oath to their respective pam stacks (system-auth and sshd). On the other
hand, just enabling oath::pam_oath will tell oath to install pam_oath and
liboath from the epel_release repository, as well as write the appropriate
configuration files to the /etc/liboath/ directory.
A default list of users for which TOTP keys are configured is defined in
data/common.yaml for the module. More details about this can be found in the
documentation of manifests/config.pp. This can be modified in place or
overridden in puppet or Hiera.
For implementation without the corresponding simp modules, the following code can be added to most PAM stacks.
WARNING: Modifying the PAM stack is very dangerous and should not be done on a production system without prior testing. Please take appropriate care to not lock yourself out of the system you are modifying.
auth [success=3 default=ignore] pam_listfile.so item=group sense=allow file=/etc/liboath/exclude_groups.oath
auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/liboath/exclude_users.oath
auth [success=1 default=bad] pam_oath.so usersfile=/etc/liboath/users.oath window=1
auth requisite pam_deny.so
Limitations
Currently, while the pam_oath package supports HOTP as well as TOTP, this
module only supports TOTP configuration. HOTP can be configured to work by
setting oath::oath_users to undef, which will lead to
/etc/liboath/users.oath no longer being managed by puppet. This keeps the
last HOTP code from being overwritten, as pam_oath uses the config file to
keep track of this data.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the
metadata.json file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Development
Please read our Contribution Guide.
Acceptance tests
As use of this module by itself should not affect the operation of a system, this module contains only a basic acceptance test. The spec tests are much more representative of the functionality of this module.
Reference
Table of Contents
Classes
Public Classes
oath: This module is utilized by other modules in SIMP to download TOTP required packages and configure them with sane defaults as to make pam_oath
Private Classes
oath::config: This class is called from oath for pam_oath configuration. This class ensures files and directories have the correct selinux contexts to runoath::install: This class is called from oath for installation of packages required to implement one-time passwords as part of PAM authentication.oath::oathtool_install: This class is called from oath for installation of the oathtool utility. This utility enables conversion of a secret key into an appropriate
Defined types
oath::config::exclude_group: This define takes params and constructs a consistantly formated concat fragment that will be inserted as a line in /etc/liboath/exclude_groupoath::config::exclude_user: This define takes params and constructs a consistantly formated concat fragment that will be inserted as a line in /etc/liboath/exclude_usersoath::config::user: This define takes params and constructs a consistantly formated concat fragment that will be inserted as a line in /etc/liboath/users.oath
Classes
oath
This module is utilized by other modules in SIMP to download TOTP required packages and configure them with sane defaults as to make pam_oath.so a functional pam module if used.
Example hieradata
oath::oath_users: defaults: token_type: 'HOTP/T30/6' pin: '-' user: secret_key: 'my_secret_key' other_user: pin: 1234 # fields in user with override defaults secret_key: 'secret_key_for_other_user'
Parameters
The following parameters are available in the oath class:
oath
Data type: Boolean
Whether or not to install pam_oath and liboath (if true) or just oathtool (a command-line utility for getting a 2FA code from a corresponding secret key.
- Defaults to the global catalyst
simp_options::oath.
Default value: simplib::lookup('simp_options::oath', { 'default_value' => false })
pam
Data type: Boolean
Whether or not pam is configured on the simp system.
- Will not install pam_oath without
$pambeingtrue.
WARNING If this is overriden to true, pam will install as a dependency of pam_oath
Default value: simplib::lookup('simp_options::pam', { 'default_value' => true })
package_ensure
Data type: Simplib::PackageEnsure
Sets the value for resource => package, key => ensure.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present'})
oath_exclude_users
Data type: Optional[Array]
Optional array that will enter each array member as a user in the exclude_users.oath file, keeping them from needing oath 2FA when configured for other users.
Default value: undef
oath_exclude_groups
Data type: Optional[Array]
Optional array that will enter each array member as a group in the exclude_groups.oath file, keeping members of these groups from needing oath 2FA when configured for other users.
Default value: undef
oath_users
Data type: Optional[Hash]
Hash of users processed to create the users.oath file required by the
pam_oath.so module.
Defaults to hieradata in data/common.yaml. If this is deleted, or set to undef, puppet will not manage users.oath. Processing happens in manifests/config.pp with the config define being in manifests/config/user.pp
Default value: undef
Defined types
oath::config::exclude_group
This define takes params and constructs a consistantly formated concat fragment that will be inserted as a line in /etc/liboath/exclude_groups.oath
Parameters
The following parameters are available in the oath::config::exclude_group defined type:
group
Data type: Pattern[/^[a-zA-Z0-9\-_]+(\s+)?$/]
The group that will be affected
oath::config::exclude_user
This define takes params and constructs a consistantly formated concat fragment that will be inserted as a line in /etc/liboath/exclude_users.oath
Parameters
The following parameters are available in the oath::config::exclude_user defined type:
user
Data type: Pattern[/^[a-zA-Z0-9\-_]+(\s+)?$/]
The username that will be affected
oath::config::user
This define takes params and constructs a consistantly formated concat fragment that will be inserted as a line in /etc/liboath/users.oath
Parameters
The following parameters are available in the oath::config::user defined type:
user
Data type: Array[String[1]]
The username that will be affected
token_type
Data type: Pattern[/^HOTP((\/T\d+)?(\/\d+)?)(\s+)?$/]
The type of OATH token that you are managing:
- Valid Options:
HOTPHOTP/T<window_time>HOTP/<one-time_password_length>HOTP/T<window_time>/<one-time_password_length>
pin
Data type: Variant[Enum['-','+'], Integer[0,99999999]]
The PIN to use for the OATH token
secret_key
Data type: Pattern[/^(..)+(\s+)?$/]
Any continuous string of even length (odd length can break secret_key to one-time password generators)
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 0.6.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 0.5.0
- Add AlmaLinux 8 support
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 0.4.0
- Add RockyLinux 8 support
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.3.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Mon Jan 11 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.2.1
- Removed EL6 support
- Fixed an error in the Documentation in the module.
- Mon Feb 24 2020 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.0-0
- Add EL8 support
- Code cleanup
- Allow users to be any String value
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 0.2.0-0
- Support concat 6.x.
- Tue Jul 02 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.1-0
- Updated README.md
- Created REFERENCE.md
- Support puppetlabs-stdlib 6
- Mon Apr 01 2019 Zach turtles.be.the.best@gmail.com - 0.1.0-0
- Added pam_oath.so configuration code
- Added strict type matching of oath::oath_users hieradata
- Created Rspec tests checking correct catalog creation
- Skeleton acceptance test created (and working)
- Updated documentation to reflect current state of the module
Dependencies
- puppetlabs/concat (>= 6.4.0 < 10.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
oath - Installation and config for pam_oath rpm
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.