This module manages PAM including accesslogin and limits.conf with functionality to create limits fragments for use in other modules.
===
This module has been tested to work on the following systems using Puppet v3 with Ruby versions 1.8.7, 1.9.3, 2.0.0 and 2.1.0.
- EL 5
- EL 6
- EL 7
- Solaris 9
- Solaris 10
- Solaris 11
- Suse 9
- Suse 10
- Suse 11
- Suse 12
- OpenSuSE 13.1
- Ubuntu 12.04 LTS
- Ubuntu 14.04 LTS
EL no longer requires the redhat-lsb
package.
===
Array or Hash of strings and/or arrays to configure users and origins in access.conf. The default allows the root user/group from origin 'ALL'.
- Default: 'root'
# as an array where the origin for each is 'ALL' pam::allowed_users: - root - ops - devs
This would create /etc/security/access.conf with the following content.
# This file is being maintained by Puppet. # DO NOT EDIT # #allow only the groups listed + : root : ALL + : ops : ALL + : devs : ALL
# as a hash where the user/group can optionally specify the origin pam::allowed_users: 'username': 'username1': - 'cron' - 'tty0' 'username2': 'tty1'
This would create /etc/security/access.conf with the following content.
# This file is being maintained by Puppet. # DO NOT EDIT # #allow only the groups listed + : username : ALL + : username1 : cron tty0 + : username2 : tty1
Control module to be used for pam_access.so for login. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.
- Default: 'required'
Control module to be used for pam_access.so for sshd. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.
- Default: 'required'
Hash of fragments to pass to pam::limits::fragments
- Default: undef
Boolean to control merges of all found instances of pam::limits_fragments in Hiera. This is useful for specifying fragments at different levels of the hierarchy and having them all included in the catalog.
- Default: false
String or Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Path to pam.conf
- Default: '/etc/pam.conf'
Allow array of extra lines at the bottom of pam.d/login for oracle systems on EL5.
- Default: UNSET
PAM login path
- Default: '/etc/pam.d/login'
Owner of $pam_d_login_path
- Default: 'root'
Group of $pam_d_login_path
- Default: 'root'
Mode of $pam_d_login_path
- Default: '0644'
Content template of $pam_d_login_path. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
PAM sshd path
- Default: '/etc/pam.d/sshd'
Owner of $pam_d_sshd_path
- Default: 'root'
Group of $pam_d_sshd_path
- Default: 'root'
Mode of $pam_d_sshd_path
- Default: '0644'
Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM auth. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM account. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM password. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
An ordered array of strings that define the content for PAM session. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Path to other. Used on Suse.
- Default: '/etc/pam.d/other'
Path to common-auth. Used on Suse.
- Default: '/etc/pam.d/common-auth'
Path to common-auth-pc. Used on Suse.
- Default: '/etc/pam.d/common-auth-pc'
Path to common-account. Used on Suse.
- Default: '/etc/pam.d/common-account'
Path to common-account-pc. Used on Suse.
- Default: '/etc/pam.d/common-account-pc'
Path to common-password. Used on Suse.
- Default: '/etc/pam.d/common-password'
Path to common-password-pc. Used on Suse.
- Default: '/etc/pam.d/common-password-pc'
Path to common-session. Used on Suse.
- Default: '/etc/pam.d/common-session'
Path to common-session-pc. Used on Suse.
- Default: '/etc/pam.d/common-session-pc'
Path to common-session-noninteractive, which is the same as common-session-pc used on Suse. Used on Ubuntu 12.04 LTS.
- Default: '/etc/pam.d/common-session-noninteractive'
Path to system-auth. Used on RedHat.
- Default: '/etc/pam.d/system-auth'
Path to system-auth-ac. Used on RedHat.
- Default: '/etc/pam.d/system-auth-ac'
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
===
Manages login access See PAM_ACCESS(8)
Path to access.conf.
- Default: '/etc/security/access.conf'
Owner of access.conf.
- Default: 'root'
Group of access.conf.
- Default: 'root'
Mode of access.conf.
- Default: '0644'
Content template of access.conf.
- Default: 'pam/access.conf.erb'
===
Manage PAM limits.conf
Path to limits.conf
- Default: '/etc/security/limits.conf'
Mode for config_file.
- Default: '0640'
Ordered array of limits that should be placed into limits.conf. Useful for Suse 10 which does not use limits.d.
- Default: undef
String with source path to a limits.conf
- Default: undef
Path to limits.d directory
- Default: '/etc/security/limits.d'
Mode for limits_d_dir.
- Default: '0750'
Boolean to purge the limits.d directory.
- Default: false
===
Places a fragment in $limits_d_dir directory
Source or list must be set.
String with ensure attribute for the fragment file. Valid values are 'file', 'present' and 'absent'.
- Default: 'file'
String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'
- Default: 'UNSET'
Array of lines to add to the fragment file
- Default: undef
===
Manage PAM file for specific service. The pam::service
resource is reversible, so that any service that Puppet has locked using PAM can be unlocked by setting the resource ensure to absent and waiting for the next puppet run.
you can specify a hash for to manage the services in Hiera
pam::services: "sudo": content : "auth required pam_unix2.so"
Specifies if a PAM service file should (present
) or should not (absent
) exist. The default is set to 'present'
Path to PAM files
- Default: '/etc/pam.d/'
Content of the PAM file for the service. The content
and lines
parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.
Provides content for the PAM service file as an array of lines. The content
and lines
parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.
===
pam::limits_fragments: custom: list: - '* soft nofile 2048' - '* hard nofile 8192' - '* soft as 3145728' - '* hard as 4194304' - '* hard maxlogins 300' - '* soft cpu 720' - '* hard cpu 1440'
This would create /etc/security/limits.d/custom.conf with content
# This file is being maintained by Puppet. # DO NOT EDIT * soft nofile 2048 * hard nofile 8192 * soft as 3145728 * hard as 4194304 * hard maxlogins 300 * soft cpu 720 * hard cpu 1440