Supporting MFA with Duo

[mboisson]

Again, for an internal project, we require using Duo.

[cmd-ntrf]

This should already be possible. The documentation to that affect might be a bit lacking.

To enable Duo, you have to install the Indiana University Puppet module for Duo using the puppetfile variable in the main.tf : https://github.com/ComputeCanada/magic_castle/tree/main/docs#419-puppetfile-optional

puppetfile = "mod 'iu-duo_unix', '4.0.1'"

Then in your hieradata file, you can define the duo config:

duo_unix::usage: 'login'
duo_unix::ikey: 'your integration key'
duo_unix::skey: 'your secret key'
duo_unix::host: 'api-yourhost.duosecurity.com'
duo_unix::motd: 'yes'

In your hieradata YAML file, you should define a new tag that will identify which instance require MFA:

magic_castle::site::tags:
  mfa:
    - duo_unix

Then finally, add that tag to your login instance for example:

login    = { type = "p2-4gb",     count = 1, tags = ["login", "public", "mfa"] },

[mboisson]

Thanks. I will test and eventually open a PR for documentation.

[mboisson]

I added mod 'iu-duo_unix', '4.0.1' to /etc/puppetlabs/code/environments/production/Puppetfile since it has no post-build effect, but I still get

 puppet-agent[22401]: Starting Puppet client version 7.27.0
puppet-agent[22403]: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Could not find class ::duo_unix for login1 (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 20, column: 3) on node login1
 puppet-agent[22403]: Applied catalog in 4.00 seconds

Anything else needs to be done ?

[mboisson]

Ok, I had to manually install it with puppet module install iu-duo_unix --ignore-dependencies

[mboisson]

For the list of all the undocumented parameters of the duo_unix module: https://github.com/indiana-university/puppet-duo_unix/blob/master/manifests/init.pp#L118

(in particular, I needed to use the groups parameter)

[mboisson]

After some testing, this does not work... the usage: 'pam' does not work and 'login' is problematic. We will need to configure /etc/pam.d/sshd and sshd_config better

[cmd-ntrf]

We were missing three things:

• pam_ssh_user_auth package
• auth pam_ssh_user_auth.so and auth /lib64/security/pam_duo.so in /etc/pam.d/sshd
• AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam keyboard-interactive:pam,keyboard-interactive:pam in /etc/ssh/sshd_config.

This CERN page on pam_ssh_user_auth put me on the right track: https://cern-cert.github.io/pam_2fa/

[mboisson]

Issue in iu-duo_unix indiana-university/puppet-duo_unix#35

[mboisson]

Deploying MFA also requires some adjustment for account CentOS in sshd_config or (/etc/ssh/sshd_config.d + adding Include /etc/ssh/sshd_config.d/*.conf to sshd_config), otherwise it breaks Terraform's own SSH connections:
hashicorp/terraform#16032 (comment)