Installation and config for pam_oath rpm




470 latest version

4.8 quality score

Version information

  • 0.2.0 (latest)
  • 0.1.1
released Nov 30th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
  • Puppet >= 5.0.0 < 7.0.0
  • CentOS

Start using this module

Tags: simp, oath, totp


simp/oath — version 0.2.0 Nov 30th 2020

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents


By default, this module will only install oathtool, a command line utility for generating one-time passwords.

Optionally, this module will install the pam_oath and liboath packages from EPEL and configure them. In this case, this module will manage the configuration for these packages, including users, keys and exclusions.

See REFERENCE.md for more details.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
  • If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in simp/simp_options for details.


What oath affects

If configured to install pam_oath, will install the following packages

  • pam_oath Will add /usr/lib64/security/pam_oath.so
  • liboath
  • pam (A dependency of pam_oath)

Will manage files in /etc/liboath

WARNING: While this module will not edit the PAM stack, it will manage the users and keys required for pam_oath.so module functionality. If the PAM stack is modified to utilize this module, only users in /etc/liboath/users.oath or those who fall under an exclude will be able to authenticate.

Beginning with oath

include 'oath'


include 'oath'

For anything other than a simple installation of oathtool, either simp_options::oath needs to be set to true or oath::pam_oath needs to be overridden to true. simp_options::oath is a global catalyst indicating to other simp modules (pupmod-simp-ssh and pupmod-simp-pam) that they should add pam_oath to their respective pam stacks (system-auth and sshd). On the other hand, just enabling oath::pam_oath will tell oath to install pam_oath and liboath from the epel_release repository, as well as write the appropriate configuration files to the /etc/liboath/ directory.

A default list of users for which TOTP keys are configured is defined in data/common.yaml for the module. More details about this can be found in the documentation of manifests/config.pp. This can be modified in place or overridden in puppet or Hiera.

For implementation without the corresponding simp modules, the following code can be added to most PAM stacks.

WARNING: Modifying the PAM stack is very dangerous and should not be done on a production system without prior testing. Please take appropriate care to not lock yourself out of the system you are modifying.

auth [success=3 default=ignore] pam_listfile.so item=group sense=allow file=/etc/liboath/exclude_groups.oath
auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/liboath/exclude_users.oath
auth [success=1 default=bad] pam_oath.so usersfile=/etc/liboath/users.oath window=1
auth requisite pam_deny.so


Currently, while the pam_oath package supports HOTP as well as TOTP, this module only supports TOTP configuration. HOTP can be configured to work by setting oath::oath_users to undef, which will lead to /etc/liboath/users.oath no longer being managed by puppet. This keeps the last HOTP code from being overwritten, as pam_oath uses the config file to keep track of this data.

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.


Please read our Contribution Guide.

Acceptance tests

As use of this module by itself should not affect the operation of a system, this module contains only a basic acceptance test. The spec tests are much more representative of the functionality of this module.