Version information
This version is compatible with:
- Puppet Enterprise 3.2.x
- Puppet 3.x
- , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'ghoneycutt-pam', '2.13.0'Learn more about managing modules with a PuppetfileDocumentation
pam module
This module manages PAM including accesslogin and limits.conf with functionality to create limits fragments for use in other modules.
===
Compatibility
This module has been tested to work on the following systems using Puppet v3 with Ruby versions 1.8.7, 1.9.3, 2.0.0 and 2.1.0.
- EL 5
- EL 6
- EL 7
- Solaris 9
- Solaris 10
- Solaris 11
- Suse 9
- Suse 10
- Suse 11
- Suse 12
- Ubuntu 12.04 LTS
EL no longer requires the redhat-lsb package.
===
Parameters
class pam
allowed_users
Array or Hash of strings and/or arrays to configure users and origins in access.conf. The default allows the root user/group from origin 'ALL'.
- Default: 'root'
Hiera example for allowed_users
This would create /etc/security/access.conf with the following content.
This would create /etc/security/access.conf with the following content.
login_pam_access
Control module to be used for pam_access.so for login. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.
- Default: 'required'
sshd_pam_access
Control module to be used for pam_access.so for sshd. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.
- Default: 'required'
limits_fragments
Hash of fragments to pass to pam::limits::fragments
- Default: undef
package_name
String or Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
pam_conf_file
Path to pam.conf
- Default: '/etc/pam.conf'
pam_d_login_oracle_options
Allow array of extra lines at the bottom of pam.d/login for oracle systems on EL5.
- Default: UNSET
pam_d_login_path
PAM login path
- Default: '/etc/pam.d/login'
pam_d_login_owner
Owner of $pam_d_login_path
- Default: 'root'
pam_d_login_group
Group of $pam_d_login_path
- Default: 'root'
pam_d_login_mode
Mode of $pam_d_login_path
- Default: '0644'
pam_d_login_template
Content template of $pam_d_login_path. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
pam_d_sshd_path
PAM sshd path
- Default: '/etc/pam.d/sshd'
pam_d_sshd_owner
Owner of $pam_d_sshd_path
- Default: 'root'
pam_d_sshd_group
Group of $pam_d_sshd_path
- Default: 'root'
pam_d_sshd_mode
Mode of $pam_d_sshd_path
- Default: '0644'
pam_d_sshd_template
Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
pam_auth_lines
Content for PAM auth. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
pam_account_lines
Content for PAM account. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
pam_password_lines
Content for PAM password. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
pam_session_lines
Content for PAM session. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
pam_d_other_file
Path to other. Used on Suse.
- Default: '/etc/pam.d/other'
common_auth_file
Path to common-auth. Used on Suse.
- Default: '/etc/pam.d/common-auth'
common_auth_pc_file
Path to common-auth-pc. Used on Suse.
- Default: '/etc/pam.d/common-auth-pc'
common_account_file
Path to common-account. Used on Suse.
- Default: '/etc/pam.d/common-account'
common_account_pc_file
Path to common-account-pc. Used on Suse.
- Default: '/etc/pam.d/common-account-pc'
common_password_file
Path to common-password. Used on Suse.
- Default: '/etc/pam.d/common-password'
common_password_pc_file
Path to common-password-pc. Used on Suse.
- Default: '/etc/pam.d/common-password-pc'
common_session_file
Path to common-session. Used on Suse.
- Default: '/etc/pam.d/common-session'
common_session_pc_file
Path to common-session-pc. Used on Suse.
- Default: '/etc/pam.d/common-session-pc'
common_session_noninteractive_file
Path to common-session-noninteractive, which is the same as common-session-pc used on Suse. Used on Ubuntu 12.04 LTS.
- Default: '/etc/pam.d/common-session-noninteractive'
system_auth_file
Path to system-auth. Used on RedHat.
- Default: '/etc/pam.d/system-auth'
system_auth_ac_file
Path to system-auth-ac. Used on RedHat.
- Default: '/etc/pam.d/system-auth-ac'
system_auth_ac_auth_lines
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
system_auth_ac_account_lines
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
system_auth_ac_password_lines
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
system_auth_ac_session_lines
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
===
define pam::accesslogin
Manages login access See PAM_ACCESS(8)
Parameters for pam::accesslogin define
access_conf_path
Path to access.conf.
- Default: '/etc/security/access.conf'
access_conf_owner
Owner of access.conf.
- Default: 'root'
access_conf_group
Group of access.conf.
- Default: 'root'
access_conf_mode
Mode of access.conf.
- Default: '0644'
access_conf_template
Content template of access.conf.
- Default: 'pam/access.conf.erb'
===
class pam::limits
Manage PAM limits.conf
Parameters for pam::limits
config_file
Path to limits.conf
- Default: '/etc/security/limits.conf'
config_file_mode
Mode for config_file.
- Default: '0640'
limits_d_dir
Path to limits.d directory
- Default: '/etc/security/limits.d'
limits_d_dir_mode
Mode for limits_d_dir.
- Default: '0750'
purge_limits_d_dir
Boolean to purge the limits.d directory.
- Default: false
===
pam::limits::fragment define
Places a fragment in $limits_d_dir directory
Parameters for pam::limits::fragment
Source or list must be set.
source
String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'
- Default: 'UNSET'
list
Array of lines to add to the fragment file
===
pam::service
Manage PAM file for specific service
Usage
you can specify a hash for to manage the services in Hiera
Paramteters for pam::service
pam_config_dir
Path to PAM files
- Default: '/etc/pam.d/'
content
Content of the PAM file for the service
===
Hiera example for limits_fragments
This would create /etc/security/limits.d/custom.conf with content
2.0.0 - 2013-05-16 Garrett Honeycutt code@garretthoneycutt.com
- Rebirth of ghoneycutt/pam
Dependencies
- ghoneycutt/common (>= 1.0.2)
- ghoneycutt/nsswitch (>= 1.1.0)
- puppetlabs/stdlib (>= 3.2.0)
Copyright (C) 2010-2014 Garrett Honeycutt <code@garretthoneycutt.com>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.