Merge pull request #340 from mboisson/centos_authenticationmethods

Add authenticationmethods param to local user
ComputeCanada · Jun 11, 2024 · f3376b1 · f3376b1
2 parents 4f0e661 + b406d31
commit f3376b1
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1405,7 +1405,7 @@ A `profile::users::local_user` is defined as a dictionary with the following key
 | `sudoer`          | If enable, the user can sudo without password   | Boolean         | Yes        |
 | `selinux_user`    | SELinux context for the user                    | String          | Yes        |
 | `mls_range`       | MLS Range for the user                          | String          | Yes        |
-
+| `authenticationmethods` | Specifies AuthenticationMethods value for this user in sshd_config | String          | Yes        |
 
 <details>
 <summary>default values</summary>
@@ -1416,6 +1416,7 @@ profile::users::local::users:
     public_keys: "%{alias('terraform.data.public_keys')}"
     groups: ['adm', 'wheel', 'systemd-journal']
     sudoer: true
+    authenticationmethods: 'publickey'
 ```
 
 If `profile::users::local::users` is present in more than one YAML file in the hierarchy,
@@ -1436,6 +1437,7 @@ profile::users::local::users:
     # sudoer: false
     # selinux_user: 'unconfined_u'
     # mls_range: ''s0-s0:c0.c1023'
+    # authenticationmethods: 'publickey,password publickey,keyboard-interactive'
 ```
 </details>
 

diff --git a/data/common.yaml b/data/common.yaml
@@ -269,6 +269,7 @@ profile::users::local::users:
     public_keys: "%{alias('terraform.data.public_keys')}"
     groups: ['adm', 'wheel', 'systemd-journal']
     sudoer: true
+    authenticationmethods: 'publickey'
 
 
 profile::freeipa::base::domain_name: "%{alias('terraform.data.domain_name')}"

diff --git a/site/profile/manifests/users.pp b/site/profile/manifests/users.pp
@@ -128,6 +128,7 @@
   Boolean $sudoer = false,
   String $selinux_user = 'unconfined_u',
   String $mls_range = 's0-s0:c0.c1023',
+  String $authenticationmethods = '',
 ) {
   # Configure local account and ssh keys
   user { $name:
@@ -185,4 +186,13 @@
     line    => "${name} ALL=(ALL) NOPASSWD:ALL",
     require => File['/etc/sudoers.d/90-puppet-users'],
   }
+
+  if $authenticationmethods != '' {
+    sshd_config { "${name} authenticationmethods":
+      ensure    => present,
+      condition => "User ${name}",
+      key       => 'AuthenticationMethods',
+      value     => $authenticationmethods
+    }
+  }
 }