Current playbook includes a feature we do not need but I'd rather remove that feature (the multi-user accommodation) then try to write my own playbook from scratch.
Adam Panzer @apanzerj / e-squared
This repository contains an Ansible role used to set up Duo-based 2-factor authentication SSH logins. The role supports CentOS- and Debian- based systems, and has been tested on latest (05/24) CentOS 7 and Ubuntu 16.04.
Duo is patched for multi-user support: any Duo user in the organization can authenticate as any user on the system (provided they also have a matching SSH key etc).
If multiple humans use the same account on a system
(Alice and Bob both log in as centos) this is great -- they can each have their own Duo account and
hence own 2FA devices. If each human has their own user account, this probably isn't what you want and you
should use a different Ansible role.
Please read this README carefully to avoid creating security holes. In particular, note that you must modify the default Duo New User Policy.
duo_ssh_ikey- Duo application Integration Key (found in application dashboard)duo_ssh_skey- Duo application Secret Key (found in application dashboard)duo_ssh_host- Duo application host endpoint (found in application dashboard)
By default, Duo does not allow system-wide multi-user support (setting the setuid bit disables shared accounts for non-root-users, setting the setuid bit requires each user to have their own configuration file). This is for good reason: it allows every Duo user to retrieve the duo conf file,
and hence fake authentication as other Duo users.
However, by making the assumption that all Duo users are equally trusted: i.e., all Duo users in the organization can perform the second factor of authentication for any account on the system, then these security concerns go away. In fact, the assumption is weaker: a group of users can be created in the Duo dashboard, and the application restricted to this group. The trust then only need extend to users in this group.
Additionally, the Duo New User Policy must be set to Deny access to unenrolled users. Otherwise, an attacker can simply enter a nonexistent Duo user name, receive a link to enroll into Duo and then use their newly-created account to successfully complete 2FA.
Finally, OpenSSH initializes port forwarding and tunneling before the Duo 2FA challenge, so PermitTunnel
and AllowTcpForwarding are disabled to avoid a potential attack via port
forwarding.
- Log into, or create a new account on duo.com.
- Use the Applications tab of the Dashboard to protect a new
UNIX Application. Make note of the integration key, secret key and API hostname. - Under the Policy section of the application, create a new Application Policy. Set the New User Policy to Deny access to unenrolled users..
- Use the Users tab of the dashboard to create a new Duo user. Add an email address, and follow the steps in the welcome email to complete the enrollment process.
- Install Ansible and run
ansible-playbook --extra-vars "duo_ssh_ikey=IKEY duo_ssh_skey=SKEY duo_ssh_host=DUO_HOST" -u USER -i "HOST," playbook.yml
where USER@HOST is the server to run on, and IKEY, SKEY and DUO_HOST are the vars
noted in step 2.
6. Login to the server using the same key/etc as before. When prompted for a Duo user, enter the username
created in step 4. Follow the on-screen instructions to complete push/SMS/voice authentication.
A barebones playbook.yml is included that can be used to run the role. Install Ansible and run
ansible-playbook --extra-vars "duo_ssh_ikey=IKEY duo_ssh_skey=SKEY duo_ssh_host=DUO_HOST" -u USER -i "HOST," playbook.yml
where USER@HOST is the machine to run on, and IKEY, SKEY and DUO_HOST are the vars described in
Variables.
To integrate the role into an existing ansible playbook:
- Copy the
roles/duodirectoryfrom this repository into the existing ansiblerolesdirectory. - Add
duoto the roles array in the existing playbook. - Add the duo vars to the playbook or inventory. Alternatively, pass in the vars when
running the
ansible-playbookcommand, as demonstrated in Standalone.
MIT