Seems like Duo have updated the apt repo public key.

First of all, thanks for this replacement!

We noticed that when we set ensure to latest (default = present) , the puppet agent will give an error:
Error: Failed to apply catalog: Validation of File[/etc/duo/login_duo.conf] failed: You cannot specify more than one of content, source, target (file: /etc/puppetlabs/code/modules/duo_unix/manifests/init.pp, line: 140)

This error is not cause by de Package resource but with the File resource (etc/duo/login_duo.conf) where the same $ensure is used. To my knowledge this cannot work this way.

For now I changed the Package resource to latest by hand.

We would like to use iu-duo_unix while also using the approach proposed by CERN to protect the second factor:
https://cern-cert.github.io/pam_2fa/

iu-duo_unix is essentially missing three things:

• pam_ssh_user_auth package
• Inserting auth pam_ssh_user_auth.so, auth pam_deny and auth /lib64/security/pam_duo.so in /etc/pam.d/sshd
• Inserting AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam keyboard-interactive:pam,keyboard-interactive:pam in /etc/ssh/sshd_config.

Would you be interested in a PR that implements this in iu-duo_unix?

There is no CentOS 9, only CentOS Stream. The repos for Stream are at a different path. It looks like there is a simple fix in the duo_unix:::repos class here by changing it to:

    $osname = $facts['os']['name'] ? {
        'CentOS'       => $facts['os']['release']['id'],
        default        => 'RedHat',
      }

More Info on the os release id fact and CentOS Stream: puppetlabs/facter#2291 (comment)

This would also have the effect of pointing CentOS 8 Stream at the CentOSStream repo instead of the CentOS repo path.

Also noticed CentOS Stream "support" was added but then removed in 6c009d8 due to the os name fact still being set to CentOS. Most of that can probably be added back with some additional changes to the repo spec test.

I can probably submit a Pull Request but it will take me a bit to set up signing of commits.

I'm trying to use this module on Rocky Linux (RIP CentOS...), it adds the repo as
"https://pkg.duosecurity.com/Rocky/$releasever/$basearch" in the "/etc/yum.repos.d/duosecurity.repo" file.

However, there's no such repo (or symlink) available on duosecurity's repo.. Not sure if this would be the prefered way?

Aditionally; is there any way to make the module not handle the repos so we can handle this ourselves?
I prefer to use internal repositories.. (servers usually don't have direct internet access).

AllowTcpForwarding no should be removed and managed in a different way like using the SSH module to manage this setting as this setting conflicts in environments where the requirement for AllowTcpForwarding needs to be yes. In this issue, I also took the opportunity to update pdk, changelog, metadata.json and also removed the vscode extension. All unit test passes. Pull request to follow up soon.

The architecture specification for Ubuntu 18.04 does not work correctly.

E: Failed to fetch https://pkg.duosecurity.com/Ubuntu/dists/xenial/Release  Unable to find expected entry 'main/binary-x86_64/Packages' in Release file (Wrong sources.list entry or malformed file)

It is more flexible for the ForceCommand line to be inside a "match" block, whether group or user. Using this match block would apply to all users:

Match Group * ForceCommand /usr/sbin/login_duo PermitTunnel no

Using this method, you can specify which groups or users should not be forced to go through Duo 2FA (following a ! character). We tried to use the "groups" option in the login_duo.conf file but it fails for special users with a chroot directory. This is because the groups restriction in login_duo happens after sshd runs the force_command.

Can line 15 be removed from the ssh_config.pp?

Just tried the update on a CentOS machine and am getting the error:

Error: Systemd start for ssh failed!
journalctl log for ssh:
-- No entries --

Error: /Stage[main]/Duo_unix::Ssh_config/Service[ssh]/ensure: change from 'stopped' to 'running' failed: Systemd start for ssh failed!
journalctl log for ssh:
-- No entries --

I'm pretty sure the ssh service for the RedHat family is sshd and not ssh.

Need to write code to configure ssh to use PAM and to configure the PAM stack to use Duo.

I have been trying to work on a PR for #35, and I noticed that this line does not seem like it will ever be executed:
https://github.com/indiana-university/puppet-duo_unix/blob/master/manifests/init.pp#L141

since you can't have $usage == 'login' in that section (you are in the else from $duo_unix::usage == 'login'.

Am I misreading this ?

Because the original repo was named differently from the current repo it is added twice which causes an error on Ubuntu which causes puppet to fail.

To test the addition of AcceptEnv variables to sshd_config using augeas in manifests/ssh_config.pp, I have attempted to also properly apply unit tests to these augeas blocks (using rspec-puppet-augeas). This is because when we're unit testing, we're testing the contents of a Puppet catalog instead of the real sshd_config file. I therefore created an updated spec/classes/ssh_config_spec.rb with this content:

require 'spec_helper'
describe 'duo_unix::ssh_config' do
  let(:pre_condition) { "package { 'duo_unix': ensure => 'installed' } package { 'duo-unix': ensure => 'installed' }" }

  on_supported_os.each do |os, os_facts|
    let :pre_condition do
      "class { 'duo_unix':
        usage => 'login',
        ikey => 'testikey',
        skey => 'testskey',
        host => 'api-XXXXXXXX.duosecurity.com',
        accept_env_factor => 'yes' }"
    end

    context "on #{os}" do
      let(:facts) { os_facts }

      it { is_expected.to compile }
    end

    context 'with accept_env_factor => yes' do
      let(:facts) { os_facts }

      it {
        is_expected.to contain_file('/etc/duo/login_duo.conf')
          .with_content(%r{^accept_env_factor=yes$})
      }
      describe 'sshd' do
        it 'Finds duo_ssh_env augeas resource' do
          is_expected.to contain_augeas('duo_ssh_env')
        end

        # Expects Augeas['duo_ssh_env'] because sshd_config is a pre-existing and therefore not testable in the catalog by Rspec
        describe_augeas 'duo_ssh_env', lens: 'Sshd.lns', target: 'etc/ssh/sshd_config' do
          it 'Ensures DUO_PASSCODE is added to AcceptEnv' do

            # Check changes in the file with aug_get and aug_match
            aug_match('DUO_PASSCODE').is_expected.to include('DUO_PASSCODE')

            # Verify idempotence last to prevent false positive
            is_expected.to execute.idempotently
          end
        end
      end
    end
  end
end

However, when running the unit tests, I get (many copies of) this error:

Failures:

  1) duo_unix::ssh_config with accept_env_factor => yes sshd Augeas[duo_ssh_env] Ensures DUO_PASSCODE is added to AcceptEnv
     Failure/Error: aug_match('DUO_PASSCODE').is_expected.to include('DUO_PASSCODE')
     
     RuntimeError:
       Got 2 failure(s) while initializing: File[/tmp/d20240415-916643-c35377]: change from 'absent' to 'directory' failed: Failed to set owner to '0': Operation not permitted @ apply2files - /tmp/d20240415-916643-c35377; File[/tmp/d20240415-916643-nn2gev/ssl]: change from 'absent' to 'directory' failed: Failed to set owner to '0': Operation not permitted @ apply2files - /tmp/d20240415-916643-nn2gev/ssl
     # ./spec/classes/ssh_config_spec.rb:38:in `block (6 levels) in <top (required)>'
     # bin/rspec:29:in `load'
     # bin/rspec:29:in `<main>'

Unfortunately, there appears to be a number of very stale (and unlikely to change) official sources that indicate this error will not be resolved:

• domcleal/rspec-puppet-augeas#21
• https://puppet.atlassian.net/browse/PDK-817