This module manages the configuration of https://github.com/mricon/totp-cgi. It includes a server component and client components. The only current module is for sudo.
===
This module has been tested to work on the following systems using Puppet v4 with Ruby version 2.0.0.
- EL 7
===
- mthibaut/users >=v1.0.11
- puppetlabs/apache', >=1.5.0
- camptocamp/selinux, >=0.1.19 (should go away with a proper fix to the el7 selinux policy)
- https://github.com/herlo/puppet-module-pam (a fork with a few improvements from ghoneycut/pam) See ghoneycutt/puppet-module-pam#115 for current status of PR.
- https://github.com/herlo/puppet-module-nsswitch.git (a fork with a few improvements from ghoneycut/nsswitch) *required by puppet-module-pam
===
All configurations are represnted as 'totpcgi::'
Boolean determining wether this module will manage the installation of the totpcgi, totpcgi-selinux, and totpcgi-provisioning packages.
- Default: true
Whether this module will manage the installation of the python-qrcode package. This package is used to display qrcodes for adding pincodes.
- Default: true
provisions new pincode accounts The options are 'manual' and 'automatic'
'automatic' is not yet supported.
- Default: 'manual'
String (which the config reads as a boolean) whether to also require a pincode (or password).
- Default: 'False'
String returned from the totpcgi service indicating successful validation of token.
- Default: 'OK'
Whether to encrypt the master secret for totp codes.
NOTE: It's important to realize that this comes with a trade-off -- if a client forgets their pincode, the TOTP token will need to be re-provisioned.
- Default: 'False'
If the $provisioning value is set to 'manual', this construct creates the token files.
See https://github.com/lfit/totp-cgi/blob/master/INSTALL.rst#provisioning-cgi
- Default: undef
totpcgi::tokens: bob: encoded_secret: '2AA348X9K27GH0B4' tokens: - '01234567' - '12345678' - '23456789' - '34567890' - '45678901'
String, see https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT
- Default: '3'
String, see https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT
- Default: '3 30'
Boolean, see https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT
- Default: true
Boolean, see https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT
- Default: true
String, see https://github.com/google/google-authenticator/blob/master/libpam/FILEFORMAT
- Default: undef
The default number of scratch tokens included in the user.totp file.
- Default: '5'
How many bits in a generated secret.
- Default: '80'
Identifies the token in the Google Authenticator application. The '$username' is interpolated at provisioning. Useful when users have more than one token.
- Default: '$username@example.com'
Where totpcgi configuration files live.
- Default: '/etc/totpcgi'
The path to the totpcgi.conf
- Default: '$totpcgi_config_dir/totpcgi.conf
The owner and group for the $totpcgi_config mentioned above.
- Default: 'totpcgi'
The path to the provisioning.conf
- Default: '$totpcgi_config_dir/provisioning.conf
The owner and group for the $provisioning_config mentioned above.
- Default: 'totpcgiprov'
Engine where totp secrets are stored. The options are:
- 'file'
- 'pgsql'
- 'mysql'
- Default: 'file'
When using 'file' for the $secret_engine, this will be the path holding the .totp files with secrets.
- Default: '$totpcgi_config_dir/totp'
When using 'pgsql' for the $secret_engine, this will be the connection string to the postgresql database.
- Default: 'user= password= host= dbname='
When using 'mysql' for the $secret_engine, this will be the mysql host.
- Default: undef
When using 'mysql' for the $secret_engine, this will be the user.
- Default: undef
When using 'mysql' for the $secret_engine, this will be the password.
- Default: undef
When using 'mysql' for the $secret_engine, this will be the database.
- Default: undef
Engine where totp secrets are stored. The options are:
- 'file'
- 'pgsql'
- 'mysql'
- 'ldap'
- Default: 'file'
Default hash verification method.
- Default: 'sha256'
Whether to compile the DBM database (only meaningful with the file backend)
- Default: 'True'
When using 'file' for the $pincode_engine, this will be the file holding username:password-hash values.
- Default: '$totpcgi_config_dir/pincodes'
When using 'pgsql' for the $pincode_engine, this will be the connection string to the postgresql database.
- Default: 'user= password= host= dbname='
When using 'mysql' for the $pincode_engine, this will be the mysql host.
- Default: undef
When using 'mysql' for the $pincode_engine, this will be the user.
- Default: undef
When using 'mysql' for the $pincode_engine, this will be the password.
- Default: undef
When using 'mysql' for the $pincode_engine, this will be the database.
- Default: undef
When using 'ldap' for the $pincode_engine, this will be the ldap_url.
- Default: 'ldaps://ipa.example.com:636/'
When using 'ldap' for the $pincode_engine, this will be the user.
- Default: 'uid=$username,cn=users,cn=accounts,dc=example,dc=com'
When using 'ldap' for the $pincode_engine, the CA Certificate path.
- Default: '/etc/ipa/ca.crt'
Engine where totp secrets are stored. The options are:
- 'file'
- 'pgsql'
- 'mysql'
- Default: 'file'
When using 'file' for the $state_engine, this will be the state directory.
- Default: '/var/lib/totpcgi'
When using 'pgsql' for the $state_engine, this will be the connection string to the postgresql database.
- Default: 'user= password= host= dbname='
When using 'mysql' for the $state_engine, this will be the mysql host.
- Default: undef
When using 'mysql' for the $state_engine, this will be the user.
- Default: undef
When using 'mysql' for the $state_engine, this will be the password.
- Default: undef
When using 'mysql' for the $state_engine, this will be the database.
- Default: undef
Where the provisioning CGI is located, with regards to the web root.
- Default: '/index.cgi'
CSS files provided to make the provisioning page look good.
- Default: '/'
Where to find the templates files.
- Default: '$totpcgi_config_dir/templates'
Whether to rely on HTTP auth to handle authentication. Turning this on requires setting 'encrypt_secret' to false.
- Default: 'False'
Since totpcgi is a CGI application, it uses a virtualhost, provided by the puppetlabs/apache module. (See dependencies above)
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: '8443'
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: 'admin@example.com'
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: true
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: 'OK'
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: 'OK'
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: 'OK'
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
See https://github.com/puppetlabs/puppetlabs-apache#define-apachevhost
- Default: undef
https://github.com/puppetlabs/puppetlabs-apache#parameter-directories-for-apachevhost
- Default: undef
All configurations are represented as 'totpcgi::client::'
totpcgi server host fqdn
- Default: undef
totpcgi server host ip address
- Default: undef
Whether to add the totpcgi server ip/hostname in /etc/hosts, to make sure that it is still possible to sudo even when DNS resolution is not working.
- Default: true
path to the pam_url.conf
- Default: '/etc/pam_url.conf'
The text prompt given to users when performing sudo actions
- Default: 'Token: '