cookbook 'duosecurity', '= 2.0.0'
duosecurity
(21) Versions
2.0.0
-
Follow1
Installs/Configures duosecurity two-factor system authentication on Ubuntu/Debian
cookbook 'duosecurity', '= 2.0.0', :supermarket
knife supermarket install duosecurity
knife supermarket download duosecurity
duosecurity Cookbook
====================
Installs and configures either
login_duo or
pam_duo depending on the attribute
settings.
You will need to configure sshd to make use of it. See the upstream
docs for information.
Attributes
-
node["duosecurity"]["integration_key"]
- Required. Integration key, recommended to set from an encrypted value. -
node["duosecurity"]["secret_key"]
- Required. Secret key, recommended to set from an encrypted value. -
node["duosecurity"]["api_hostname"]
- Required. API hostname for your Duo account. -
node["duosecurity"]["groups"]
- Optional. If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists. -
node["duosecurity"]["failmode"]
- Optional. On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access). The default is "safe". -
node["duosecurity"]["pushinfo"]
- Optional. Include information such as the command to be executed in the Duo Push message. Either "yes" or "no". The default is "no". -
node["duosecurity"]["http_proxy"]
- Optional. Use the specified HTTP proxy, same format as theHTTP_PROXY
environment variable. (honored by wget, curl, etc.). -
node["duosecurity"]["autopush"]
- Optional. Either "yes" or "no". Default is "no". If "yes", Duo Unix will automatically send a push login request to the user's phone, falling back on a phone call if push is unavailable. If "no", the user will be prompted to choose an authentication method. When configured withautopush = yes
, we recommend settingprompts = 1
. -
node["duosecurity"]["motd"]
- Optional. Print the contents of/etc/motd
to screen after a successful login. Either "yes" or "no". The default is "no". This option is only available for login_duo. -
node["duosecurity"]["prompts"]
- Optional. If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3. For example, when prompts = 1, the user will have to successfully authenticate on the first prompt, whereas if prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again. When configured withautopush = yes
, we recommend setting prompts = 1. -
node["duosecurity"]["accept_env_factor"]
- Optional. Look for factor selection or passcode in the$DUO_PASSCODE
environment variable before prompting the user for input. When$DUO_PASSCODE
is non-empty, it will override autopush. The SSH client will needSendEnv DUO_PASSCODE
in its configuration, and the SSH server will similarily needAcceptEnv DUO_PASSCODE
. Default is "no". -
node["duosecurity"]["fallback_local_ip"]
- Optional. Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, settingfallback_local_ip = yes
will cause Duo Unix to send the IP address of the server it is running on. If you are using IP whitelisting, enabling this option could cause unauthorized logins if the local IP is listed in the whitelist. -
node["duosecurity"]["https_timeout"]
- Optional. Set to the number of seconds to wait for HTTPS responses from Duo Security. If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered. Other network operations such as DNS resolution, TCP connection establishment, and the SSL handshake have their own independent timeout and retry logic. Default is 0, which disables the HTTPS timeout. -
node["duosecurity"]["install_type"]
- Optional. Either "source" or "package". Defaults to "source" which will compile from source code and requires a working compiler (not managed by this cookbook). -
node["duosecurity"]["use_pam"]
- Optional. Either "yes" or "no". Default is "no". If "yes", Duo Unix will be setup as a pam module and ssh will be configured to use it rather than thelogin_duo
binary. Requires OpenSSH 6.2+. -
node["duosecurity"]["protect_sudo"]
- Optional. Either "yes" or "no". Default is "no". If "yes", then Duo two-factor authentication will be used for the sudo command ifuse_pam
is alsoyes
. -
node["duosecurity"]["use_duo_repo"]
- Optional. Either "yes" or "no". Default is "no". If "yes", the duosecurity.com apt repo will be added and latest version from the repo will be preferred ifinstall_type
is set topackage
. -
node["duosecurity"]["first_factor"]
- Optional. Either "pubkey", "password" or undefined.pubkey
will alter sshd configuration to use public key auth as first factor.password
will alter sshd configuration to use password as first factor. Leaving undefined will not set default ssh authentication configuration. Requiresuse_pam
to beyes
. -
node["duosecurity"]["apt"]["keyserver"]
- Optional. Override the default keyserver for the duosecurity.com APT repository signing key.
Dependent cookbooks
ark >= 0.0.0 |
pam >= 0.0.0 |
sshd >= 0.0.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
duosecurity CHANGELOG
This file is used to list changes made in each version of the duosecurity cookbook.
1.4.1
- [mattlqx] - Remove expired Duo repo GPG key and re-add.
1.4.0
- [mattlqx] - Compatibility for Ubuntu 18.04 Bionic Beaver.
1.3.5
- [mattlqx] - Bump to latest duo_unix version.
- [whiteley] - Change metadata to support Chef 13.
1.3.4
- [whiteley] - bump to latest duo_unix version
1.3.3
- [mattlqx] - Add
issues_url
,chef_version
to metadata.rb. Taken ownership of cookbook. 🤹🏻
1.3.2
- [mattlqx] - Fix GPG keys for Duo Security package repo
Check the Markdown Syntax Guide for help with Markdown.
The Github Flavored Markdown page describes the differences between markdown on github and standard markdown.
Collaborator Number Metric
2.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
2.0.0 passed this metric
No Binaries Metric
2.0.0 passed this metric
Testing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.0.0 passed this metric
2.0.0 failed this metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
2.0.0 passed this metric
No Binaries Metric
2.0.0 passed this metric
Testing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.0.0 passed this metric
2.0.0 passed this metric
2.0.0 passed this metric
Testing File Metric
2.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.0.0 passed this metric
2.0.0 failed this metric
2.0.0 passed this metric