This module manages PAM including accesslogin and limits.conf with functionality to create limits fragments for use in other modules.
===
This module has been tested to work on the following systems with Puppet v3 (with and without the future parser) and v4 with Ruby versions 1.8.7, 1.9.3, 2.0.0 and 2.1.9. Please see .travis.yml for a full matrix of versions.
- EL 5
- EL 6
- EL 7
- Solaris 9
- Solaris 10
- Solaris 11
- Suse 9
- Suse 10
- Suse 11
- Suse 12
- OpenSuSE 13.1
- Ubuntu 12.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 16.04 LTS
- Debian 7
- Debian 8
EL no longer requires the redhat-lsb package.
===
String, Array or Hash of strings and/or arrays to configure users and origins in access.conf. The default allows the root user/group from origin 'ALL'.
- Default: 'root'
# as an array where the origin for each is 'ALL' pam::allowed_users: - root - ops - devs
This would create /etc/security/access.conf with the following content.
# This file is being maintained by Puppet. # DO NOT EDIT # #allow only the groups listed + : root : ALL + : ops : ALL + : devs : ALL
# as a hash where the user/group can optionally specify the origin
pam::allowed_users:
'username':
'username1':
- 'cron'
- 'tty0'
'username2': 'tty1'
This would create /etc/security/access.conf with the following content.
# This file is being maintained by Puppet. # DO NOT EDIT # #allow only the groups listed + : username : ALL + : username1 : cron tty0 + : username2 : tty1
Control module to be used for pam_access.so for login. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.
- Default: 'required'
Control module to be used for pam_access.so for sshd. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.
- Default: 'required'
Hash of fragments to pass to pam::limits::fragments
- Default: undef
Boolean to control merges of all found instances of pam::limits_fragments in Hiera. This is useful for specifying fragments at different levels of the hierarchy and having them all included in the catalog.
- Default: false
String or Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Path to pam.conf
- Default: '/etc/pam.conf'
Allow array of extra lines at the bottom of pam.d/login for oracle systems on EL5.
- Default: UNSET
PAM login path
- Default: '/etc/pam.d/login'
Owner of $pam_d_login_path
- Default: 'root'
Group of $pam_d_login_path
- Default: 'root'
Mode of $pam_d_login_path
- Default: '0644'
Content template of $pam_d_login_path. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
PAM sshd path
- Default: '/etc/pam.d/sshd'
Owner of $pam_d_sshd_path
- Default: 'root'
Group of $pam_d_sshd_path
- Default: 'root'
Mode of $pam_d_sshd_path
- Default: '0644'
Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version.
For cases where a full customization of the sshd PAM configuration is required, set pam_d_sshd_template to use pam/sshd.custom.erb that is provided with this module. pam/sshd.custom.erb must be further configured with the parameters pam_sshd_auth_lines, pam_sshd_account_lines, pam_sshd_password_lines and pam_sshd_session_lines. Note that the pam_d_sshd_template parameter is a no-op on Solaris.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM sshd auth. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
- Default: undef
An ordered array of strings that define the content for PAM sshd account. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
- Default: undef
An ordered array of strings that define the content for PAM sshd password. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
- Default: undef
An ordered array of strings that define the content for PAM sshd session. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
- Default: undef
An ordered array of strings that define the content for PAM auth. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM account. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM password. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM session. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Path to other. Used on Suse.
- Default: '/etc/pam.d/other'
Path to common-auth. Used on Suse.
- Default: '/etc/pam.d/common-auth'
Path to common-auth-pc. Used on Suse.
- Default: '/etc/pam.d/common-auth-pc'
Path to common-account. Used on Suse.
- Default: '/etc/pam.d/common-account'
Path to common-account-pc. Used on Suse.
- Default: '/etc/pam.d/common-account-pc'
Path to common-password. Used on Suse.
- Default: '/etc/pam.d/common-password'
Path to common-password-pc. Used on Suse.
- Default: '/etc/pam.d/common-password-pc'
Path to common-session. Used on Suse.
- Default: '/etc/pam.d/common-session'
Path to common-session-pc. Used on Suse.
- Default: '/etc/pam.d/common-session-pc'
Path to common-session-noninteractive, which is the same as common-session-pc used on Suse. Used on Ubuntu 12.04 LTS.
- Default: '/etc/pam.d/common-session-noninteractive'
Path to system-auth. Used on RedHat.
- Default: '/etc/pam.d/system-auth'
Path to system-auth-ac. Used on RedHat.
- Default: '/etc/pam.d/system-auth-ac'
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Path to password-auth. Used on RedHat.
- Default: '/etc/pam.d/password-auth'
Path to password-auth-ac. Used on RedHat.
- Default: '/etc/pam.d/password-auth-ac'
Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.
- Default: undef, default is set based on OS version
Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.
- Default: undef, default is set based on OS version
Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.
- Default: undef, default is set based on OS version
Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.
- Default: undef, default is set based on OS version ===
Manages login access See PAM_ACCESS(8)
Path to access.conf.
- Default: '/etc/security/access.conf'
Owner of access.conf.
- Default: 'root'
Group of access.conf.
- Default: 'root'
Mode of access.conf.
- Default: '0644'
Content template of access.conf.
- Default: 'pam/access.conf.erb'
===
Manage PAM limits.conf
Path to limits.conf
- Default: '/etc/security/limits.conf'
Mode for config_file.
- Default: '0640'
Ordered array of limits that should be placed into limits.conf. Useful for Suse 10 which does not use limits.d.
- Default: undef
String with source path to a limits.conf
- Default: undef
Path to limits.d directory
- Default: '/etc/security/limits.d'
Mode for limits_d_dir.
- Default: '0750'
Boolean to purge the limits.d directory.
- Default: false
Boolean to manage the inclusion of the nsswitch class.
- Default: true
===
Places a fragment in $limits_d_dir directory
Source or list must be set.
String with ensure attribute for the fragment file. Valid values are 'file', 'present' and 'absent'.
- Default: 'file'
String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'
- Default: 'UNSET'
Array of lines to add to the fragment file
- Default: undef
===
Manage PAM file for specific service. The pam::service resource is reversible, so that any service that Puppet has locked using PAM can be unlocked by setting the resource ensure to absent and waiting for the next puppet run.
you can specify a hash for to manage the services in Hiera
pam::services:
"sudo":
content : "auth required pam_unix2.so"
Specifies if a PAM service file should (present) or should not (absent) exist. The default is set to 'present'
Path to PAM files
- Default: '/etc/pam.d/'
Content of the PAM file for the service. The content and lines parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.
Provides content for the PAM service file as an array of lines. The content and lines parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.
===
pam::limits_fragments:
custom:
list:
- '* soft nofile 2048'
- '* hard nofile 8192'
- '* soft as 3145728'
- '* hard as 4194304'
- '* hard maxlogins 300'
- '* soft cpu 720'
- '* hard cpu 1440'
This would create /etc/security/limits.d/custom.conf with content
# This file is being maintained by Puppet. # DO NOT EDIT * soft nofile 2048 * hard nofile 8192 * soft as 3145728 * hard as 4194304 * hard maxlogins 300 * soft cpu 720 * hard cpu 1440