scoates/salt_roots_sshd-mfa_init.sls

## salt_roots_sshd-mfa_init.sls
include:
    # for backports
    - apt

openssh6.6:
    pkg.installed:
        # backports; this number *will* change
        - pkgs:
            - openssh-server: 1:6.6p1-4~bpo70+1
            - openssh-client: 1:6.6p1-4~bpo70+1
    service.running:
        - name: ssh
        - require:
            - pkg: openssh6.6
        - watch:
            - pkg: openssh6.6
            - file: /etc/pam.d/sshd
            - file: /etc/ssh/sshd_config

libqrencode3:
    pkg.installed

libpam-google-authenticator:
    pkg.installed:
        # from http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_amd64.deb
        - sources:
            - libpam-google-authenticator: salt://sshd-mfa/files/libpam-google-authenticator_20130529-2_amd64.deb
        - require:
            - pkg: libqrencode3

# see: http://delyan.me/securing-ssh-with-totp/
# nullok means that users without a ~/.google_authenticator will be
# allowed in without MFA; it's opt-in
# additionally, the user needs to log in to run `google-authenticator`
# before they'd have a configured MFA app/token anyway
/etc/pam.d/sshd:
    file.replace:
        - pattern: '@include common-auth'
        - repl: |
            auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
            @include common-auth
        - require:
            - pkg: libpam-google-authenticator

/etc/ssh/sshd_config:
    file.replace:
        - pattern: 'ChallengeResponseAuthentication no'
        - repl: |
            ChallengeResponseAuthentication yes
            AuthenticationMethods publickey,keyboard-interactive:pam
        - append_if_not_found: True
	include:
	# for backports
	- apt

	openssh6.6:
	pkg.installed:
	# backports; this number will change
	- pkgs:
	- openssh-server: 1:6.6p1-4~bpo70+1
	- openssh-client: 1:6.6p1-4~bpo70+1
	service.running:
	- name: ssh
	- require:
	- pkg: openssh6.6
	- watch:
	- pkg: openssh6.6
	- file: /etc/pam.d/sshd
	- file: /etc/ssh/sshd_config

	libqrencode3:
	pkg.installed

	libpam-google-authenticator:
	pkg.installed:
	# from http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_amd64.deb
	- sources:
	- libpam-google-authenticator: salt://sshd-mfa/files/libpam-google-authenticator_20130529-2_amd64.deb
	- require:
	- pkg: libqrencode3

	# see: http://delyan.me/securing-ssh-with-totp/
	# nullok means that users without a ~/.google_authenticator will be
	# allowed in without MFA; it's opt-in
	# additionally, the user needs to log in to run `google-authenticator`
	# before they'd have a configured MFA app/token anyway
	/etc/pam.d/sshd:
	file.replace:
	- pattern: '@include common-auth'
	- repl: \|
	auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
	@include common-auth
	- require:
	- pkg: libpam-google-authenticator

	/etc/ssh/sshd_config:
	file.replace:
	- pattern: 'ChallengeResponseAuthentication no'
	- repl: \|
	ChallengeResponseAuthentication yes
	AuthenticationMethods publickey,keyboard-interactive:pam
	- append_if_not_found: True