pam: type/provider for PAM files for Puppet

This module provides a new type/provider for Puppet to read and modify PAM config files using the Augeas configuration library.

The advantage of using Augeas over the default Puppet parsedfile implementations is that Augeas will go to great lengths to preserve file formatting and comments, while also failing safely when needed.

This provider will hide all of the Augeas commands etc., you don't need to know anything about Augeas to make use of it.

Requirements

Ensure both Augeas and ruby-augeas 0.3.0+ bindings are installed and working as normal.

See Puppet/Augeas pre-requisites.

Installing

On Puppet 2.7.14+, the module can be installed easily (documentation):

puppet module install herculesteam/augeasproviders_pam

You may see an error similar to this on Puppet 2.x (#13858):

Error 400 on SERVER: Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type `pam` at ...

Ensure the module is present in your puppetmaster's own environment (it doesn't have to use it) and that the master has pluginsync enabled. Run the agent on the puppetmaster to cause the custom types to be synced to its local libdir (puppet master --configprint libdir) and then restart the puppetmaster so it loads them.

Compatibility

Puppet versions

Minimum of Puppet 2.7.

Augeas versions

Documentation and examples

Type documentation can be generated with puppet doc -r type or viewed on the Puppet Forge page.

manage simple entry

pam { "Set sss entry to system-auth auth":
  ensure    => present,
  service   => 'system-auth',
  type      => 'auth',
  control   => 'sufficient',
  module    => 'pam_sss.so',
  arguments => 'use_first_pass',
  position  => 'before module pam_deny.so',
}

manage same entry but with Augeas xpath

pam { "Set sss entry to system-auth auth":
  ensure    => present,
  service   => 'system-auth',
  type      => 'auth',
  control   => 'sufficient',
  module    => 'pam_sss.so',
  arguments => 'use_first_pass',
  position  => 'before *[type="auth" and module="pam_deny.so"]',
}

delete entry

pam { "Remove sss auth entry from system-auth":
  ensure  => absent,
  service => 'system-auth',
  type    => 'auth',
  module  => 'pam_sss.so',
}

delete all references to module in file

pam { "Remove all pam_sss.so from system-auth":
  ensure  => absent,
  service => 'system-auth',
  module  => 'pam_sss.so',
}

manage entry in another pam service

pam { "Set cracklib limits in password-auth":
  ensure    => present,
  service   => 'password-auth',
  type      => 'password',
  module    => 'pam_cracklib.so',
  arguments => ['try_first_pass','retry=3', 'minlen=10'],
}

manage entry like previous but in classic pam.conf

pam { "Set cracklib limits in password-auth":
  ensure    => present,
  service   => 'password-auth',
  type      => 'password',
  module    => 'pam_cracklib.so',
  arguments => ['try_first_pass','retry=3', 'minlen=10'],
  target    => '/etc/pam.conf',
}

allow multiple entries with same control value

pam { "Set invalid login 3 times deny in password-auth -fail":
  ensure           => present,
  service          => 'password-auth',
  type             => 'auth',
  control          => '[default=die]',
  control_is_param => true,
  module           => 'pam_faillock.so',
  arguments        => ['authfail','deny=3','unlock_time=604800','fail_interval=900'],
}

Issues

Please file any issues or suggestions on GitHub.

Changelog

2.3.0

• allow augeasproviders_core 3.x

2.2.1

• Fix puppet requirement to < 7.0.0

2.2.0

• Add support for Puppet 6
• Drop support for Puppet < 5
• Update supported OSes

2.1.1

• Upped supported Puppet versions to include Puppet 5

2.1.0

• Support forced positioning (thanks to Michael Marod)
• Do not version Gemfile.lock
• Sudo needed on Travis
• Update copyright
• Improve README

2.0.3

• Add requirements to metadata.json

2.0.2

• Fix metadata.json

2.0.1

• Remove erratic symlink in spec directory

2.0.0

• First release of split module.