pam module

This module manages PAM including accesslogin and limits.conf with functionality to create limits fragments for use in other modules.

===

Compatibility

This module has been tested to work on the following systems using Puppet v3 and Ruby 1.8.7

EL 5
EL 6
Solaris 10
Solaris 11
Suse 9
Suse 10
Suse 11
Ubuntu 12.04 LTS

===

Parameters

class pam

allowed_users

Array of users allowed to log in.

Default: root

limits_fragments

Hash of fragments to pass to pam::limits::fragments

Default: undef

package_name

Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

pam_conf_file

Path to pam.conf

Default: '/etc/pam.conf'

pam_d_login_oracle_options

Allow array of extra lines at the bottom of pam.d/login for oracle systems on EL5.

Default: UNSET

pam_d_login_path

PAM login path

Default: '/etc/pam.d/login'

pam_d_login_owner

Owner of $pam_d_login_path

Default: 'root'

pam_d_login_group

Group of $pam_d_login_path

Default: 'root'

pam_d_login_mode

Mode of $pam_d_login_path

Default: '0644'

pam_d_login_template

Content template of $pam_d_login_path. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

pam_d_sshd_path

PAM sshd path

Default: '/etc/pam.d/sshd'

pam_d_sshd_owner

Owner of $pam_d_sshd_path

Default: 'root'

pam_d_sshd_group

Group of $pam_d_sshd_path

Default: 'root'

pam_d_sshd_mode

Mode of $pam_d_sshd_path

Default: '0644'

pam_d_sshd_template

Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

pam_auth_lines

Content for PAM auth. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

pam_account_lines

Content for PAM account. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

pam_password_lines

Content for PAM password. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

pam_session_lines

Content for PAM session. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

pam_d_other_file

Path to other. Used on Suse.

Default: '/etc/pam.d/other'

common_auth_file

Path to common-auth. Used on Suse.

Default: '/etc/pam.d/common-auth'

common_auth_pc_file

Path to common-auth-pc. Used on Suse.

Default: '/etc/pam.d/common-auth-pc'

common_account_file

Path to common-account. Used on Suse.

Default: '/etc/pam.d/common-account'

common_account_pc_file

Path to common-account-pc. Used on Suse.

Default: '/etc/pam.d/common-account-pc'

common_password_file

Path to common-password. Used on Suse.

Default: '/etc/pam.d/common-password'

common_password_pc_file

Path to common-password-pc. Used on Suse.

Default: '/etc/pam.d/common-password-pc'

common_session_file

Path to common-session. Used on Suse.

Default: '/etc/pam.d/common-session'

common_session_pc_file

Path to common-session-pc. Used on Suse.

Default: '/etc/pam.d/common-session-pc'

common_session_noninteractive_file

Path to common-session-noninteractive, which is the same as common-session-pc used on Suse. Used on Ubuntu 12.04 LTS.

Default: '/etc/pam.d/common-session-noninteractive'

system_auth_file

Path to system-auth. Used on RedHat.

Default: '/etc/pam.d/system-auth'

system_auth_ac_file

Path to system-auth-ac. Used on RedHat.

Default: '/etc/pam.d/system-auth-ac'

system_auth_ac_auth_lines

Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

system_auth_ac_account_lines

Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

system_auth_ac_password_lines

Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

system_auth_ac_session_lines

Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.

Default: undef, default is set based on OS version

===

define pam::accesslogin

Manages login access See PAM_ACCESS(8)

Parameters for `pam::accesslogin` define

access_conf_path

Path to access.conf.

Default: '/etc/security/access.conf'

access_conf_owner

Owner of access.conf.

Default: 'root'

access_conf_group

Group of access.conf.

Default: 'root'

access_conf_mode

Mode of access.conf.

Default: '0644'

access_conf_template

Content template of access.conf.

Default: 'pam/access.conf.erb'

===

pam::limits define

Manage PAM limits.conf

Parameters for `pam::limits` define

config_file

Path to limits.conf

Default: '/etc/security/limits.conf'

limits_d_dir

Path to limits.d directory

Default: '/etc/security/limits.d'

===

pam::limits::fragment define

Places a fragment in $limits_d_dir directory

Parameters for `pam::limits::fragment`

Source or list must be set.

source

String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'

Default: 'UNSET'

list

Array of lines to add to the fragment file

===

pam::service

Manage PAM file for specific service

Usage

you can specify a hash for to manage the services in Hiera

pam::services:
  "sudo":
    content : "auth     required       pam_unix2.so"

Paramteters for `pam::service`

pam_config_dir

Path to PAM files

Default: '/etc/pam.d/'

content

Content of the PAM file for the service

===

Hiera example for limits_fragments

pam::limits_fragments:
  custom:
    list:
      - '* soft nofile 2048'
      - '* hard nofile 8192'
      - '* soft as 3145728'
      - '* hard as 4194304'
      - '* hard maxlogins 300'
      - '* soft cpu 720'
      - '* hard cpu 1440'

This would create /etc/security/limits.d/custom.conf with content

# This file is being maintained by Puppet.
# DO NOT EDIT
* soft nofile 2048
* hard nofile 8192
* soft as 3145728
* hard as 4194304
* hard maxlogins 300
* soft cpu 720
* hard cpu 1440

ScottDuckworth/puppet-pam

pam module

Compatibility

Parameters

class pam

allowed_users

limits_fragments

package_name

pam_conf_file

pam_d_login_oracle_options

pam_d_login_path

pam_d_login_owner

pam_d_login_group

pam_d_login_mode

pam_d_login_template

pam_d_sshd_path

pam_d_sshd_owner

pam_d_sshd_group

pam_d_sshd_mode

pam_d_sshd_template

pam_auth_lines

pam_account_lines

pam_password_lines

pam_session_lines

pam_d_other_file

common_auth_file

common_auth_pc_file

common_account_file

common_account_pc_file

common_password_file

common_password_pc_file

common_session_file

common_session_pc_file

common_session_noninteractive_file

system_auth_file

system_auth_ac_file

system_auth_ac_auth_lines

system_auth_ac_account_lines

system_auth_ac_password_lines

system_auth_ac_session_lines

define pam::accesslogin

Parameters for pam::accesslogin define

access_conf_path

access_conf_owner

access_conf_group

access_conf_mode

access_conf_template

pam::limits define

Parameters for pam::limits define

config_file

limits_d_dir

pam::limits::fragment define

Parameters for pam::limits::fragment

source

list

pam::service

Usage

Paramteters for pam::service

pam_config_dir

content

Hiera example for limits_fragments

Parameters for `pam::accesslogin` define

Parameters for `pam::limits` define

Parameters for `pam::limits::fragment`

Paramteters for `pam::service`