Skip to content

Latest commit

 

History

History
1288 lines (738 loc) · 32.1 KB

REFERENCE.md

File metadata and controls

1288 lines (738 loc) · 32.1 KB
Raw

Reference

Table of Contents

Classes

Defined types

  • pam::limits::fragment: Places a fragment in $limits_d_dir directory One of the parameters source or list must be set.
  • pam::service: Manage PAM file for specific service. The pam::service resource is

Classes

pam

This module manages PAM.

Examples

Declaring the class
include pam

Parameters

The following parameters are available in the pam class:

allowed_users

Data type: Variant[Array, Hash, String]

String, Array or Hash of strings and/or arrays to configure users and origins in access.conf. The default allows the root user/group from origin 'ALL'.

Default value: 'root'

manage_accesslogin

Data type: Boolean

Boolean to manage the inclusion of the pam::accesslogin class. Can be useful if /etc/security/access.conf is managed externally. Defaults to true.

Default value: true

login_pam_access

Data type: Enum['absent', 'optional', 'required', 'requisite', 'sufficient']

Control module to be used for pam_access.so for login. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.

Default value: 'required'

sshd_pam_access

Data type: Enum['absent', 'optional', 'required', 'requisite', 'sufficient']

Control module to be used for pam_access.so for sshd. Valid values are 'required', 'requisite', 'sufficient', 'optional' and 'absent'.

Default value: 'required'

limits_fragments

Data type: Optional[Hash]

Hash of fragments to pass to pam::limits::fragments

Default value: undef

limits_fragments_hiera_merge

Data type: Boolean

Boolean to control merges of all found instances of pam::limits_fragments in Hiera. This is useful for specifying fragments at different levels of the hierarchy and having them all included in the catalog.

Default value: false

manage_faillock

Data type: Boolean

Controls whether to manage faillock.conf

Default value: false

manage_pwquality

Data type: Boolean

Controls whether to manage pwquality.conf and pwquality.conf.d

Default value: false

package_name

Data type: Optional[Variant[Array, String]]

String or Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.

Default value: undef

pam_conf_file

Data type: Stdlib::Absolutepath

Absolute path to pam.conf.

Default value: '/etc/pam.conf'

services

Data type: Optional[Hash]

Hash of pam::service entries to be created.

Default value: undef

pam_d_login_oracle_options

Data type: Array

Allow array of extra lines at the bottom of pam.d/login for oracle systems on EL5.

Default value: []

pam_d_login_path

Data type: Stdlib::Absolutepath

Absolute path to PAM login file.

Default value: '/etc/pam.d/login'

pam_d_login_owner

Data type: String

Owner of $pam_d_login_path.

Default value: 'root'

pam_d_login_group

Data type: String

Group of $pam_d_login_path.

Default value: 'root'

pam_d_login_mode

Data type: Stdlib::Filemode

Mode of $pam_d_login_path.

Default value: '0644'

pam_d_login_template

Data type: Optional[String]

Content template of $pam_d_login_path. If undef, parameter is set based on the OS version.

Default value: undef

pam_d_sshd_path

Data type: Stdlib::Absolutepath

PAM sshd path.

Default value: '/etc/pam.d/sshd'

pam_d_sshd_owner

Data type: String

Owner of $pam_d_sshd_path.

Default value: 'root'

pam_d_sshd_group

Data type: String

Group of $pam_d_sshd_path.

Default value: 'root'

pam_d_sshd_mode

Data type: Stdlib::Filemode

Mode of $pam_d_sshd_path.

Default value: '0644'

pam_d_sshd_template

Data type: Optional[String]

Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version. For cases where a full customization of the sshd PAM configuration is required, set pam_d_sshd_template to use pam/sshd.custom.erb that is provided with this module. pam/sshd.custom.erb must be further configured with the parameters pam_sshd_auth_lines, pam_sshd_account_lines, pam_sshd_password_lines and pam_sshd_session_lines. Note that the pam_d_sshd_template parameter is a no-op on Solaris.

Default value: undef

pam_sshd_auth_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM sshd auth. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.

Default value: undef

pam_sshd_account_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM sshd account. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.

Default value: undef

pam_sshd_password_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM sshd password. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.

Default value: undef

pam_sshd_session_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM sshd session. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.

Default value: undef

pam_auth_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM auth. If undef, parameter is set based on the OS version.

Default value: undef

pam_account_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM account. If undef, parameter is set based on the OS version.

Default value: undef

pam_password_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM password. If undef, parameter is set based on the OS version.

Default value: undef

pam_session_lines

Data type: Optional[Array]

An ordered array of strings that define the content for PAM session. If undef, parameter is set based on the OS version.

Default value: undef

other_file

Data type: Stdlib::Absolutepath

Path to PAM other file. Used on Suse 9 and Solaris.

Default value: '/etc/pam.d/other'

common_auth_file

Data type: Stdlib::Absolutepath

Path to PAM common-auth file. Used on Debian/Ubuntu and Suse.

Default value: '/etc/pam.d/common-auth'

common_auth_pc_file

Data type: Stdlib::Absolutepath

Path to PAM common-auth-pc file. Used on Suse.

Default value: '/etc/pam.d/common-auth-pc'

common_account_file

Data type: Stdlib::Absolutepath

Path to PAM common-account file. Used on Suse.

Default value: '/etc/pam.d/common-account'

common_account_pc_file

Data type: Stdlib::Absolutepath

Path to PAM common-account-pc file. Used on Suse.

Default value: '/etc/pam.d/common-account-pc'

common_password_file

Data type: Stdlib::Absolutepath

Path to PAM common-password file. Used on Suse.

Default value: '/etc/pam.d/common-password'

common_password_pc_file

Data type: Stdlib::Absolutepath

Path to PAM common-password-pc file. Used on Suse.

Default value: '/etc/pam.d/common-password-pc'

common_session_file

Data type: Stdlib::Absolutepath

Path to PAM common-session file. Used on Suse.

Default value: '/etc/pam.d/common-session'

common_session_pc_file

Data type: Stdlib::Absolutepath

Path to PAM common-session-pc file. Used on Suse.

Default value: '/etc/pam.d/common-session-pc'

common_session_noninteractive_file

Data type: Stdlib::Absolutepath

Path to PAM common-session-noninteractive file, which is the same as common-session-pc used on Suse. Used on Ubuntu 12.04 LTS.

Default value: '/etc/pam.d/common-session-noninteractive'

system_auth_file

Data type: Stdlib::Absolutepath

Path to PAM system-auth file. Used on RedHat.

Default value: '/etc/pam.d/system-auth'

system_auth_ac_file

Data type: Stdlib::Absolutepath

Path to PAM system-auth-ac file. Used on RedHat.

Default value: '/etc/pam.d/system-auth-ac'

password_auth_file

Data type: Stdlib::Absolutepath

Path to PAM password-auth file. Used on RedHat.

Default value: '/etc/pam.d/password-auth'

password_auth_ac_file

Data type: Stdlib::Absolutepath

Path to PAM password-auth-ac file. Used on RedHat.

Default value: '/etc/pam.d/password-auth-ac'

pam_password_auth_lines

Data type: Optional[Array]

Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.

Default value: undef

pam_password_account_lines

Data type: Optional[Array]

Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.

Default value: undef

pam_password_password_lines

Data type: Optional[Array]

Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.

Default value: undef

pam_password_session_lines

Data type: Optional[Array]

Array of lines used in content template of $password_auth_ac_file. If undef, parameter is set based on defaults for the detected platform.

Default value: undef

manage_nsswitch

Data type: Boolean

Boolean to manage the inclusion of the nsswitch class.

Default value: true

common_files

Data type: Array

Private, do not specify. Manage pam files where the entries match existing template names. These common_files* parameters are used internally to specify which files and names are needed. The data is coming out of Hiera in data/os/.

Default value: []

common_files_create_links

Data type: Boolean

Private, do not specify. If true, then symlinks are created from the suffixed files to the originals without the suffix.

Default value: false

common_files_suffix

Data type: Optional[String]

Suffix added to the common_files entries for the filename.

Default value: undef

pam::accesslogin

Manage login access See PAM_ACCESS(8)

Examples

This class is included by the pam class for platforms which use it.

Parameters

The following parameters are available in the pam::accesslogin class:

access_conf_path

Data type: Stdlib::Absolutepath

Path to access.conf.

Default value: '/etc/security/access.conf'

access_conf_owner

Data type: String

Owner of access.conf.

Default value: 'root'

access_conf_group

Data type: String

Group of access.conf.

Default value: 'root'

access_conf_mode

Data type: Stdlib::Filemode

Mode of access.conf.

Default value: '0644'

access_conf_template

Data type: String

Content template of access.conf.

Default value: 'pam/access.conf.erb'

allowed_users

Data type: Variant[Array, Hash, String]

String, Array or Hash of strings and/or arrays to configure users and origins in access.conf. The default allows the root user/group from origin 'ALL'.

Default value: $pam::allowed_users

pam::faillock

Manage faillock.conf

Parameters

The following parameters are available in the pam::faillock class:

config_file

Data type: Stdlib::Absolutepath

The faillock config path

Default value: '/etc/security/faillock.conf'

config_file_owner

Data type: String[1]

The faillock config owner

Default value: 'root'

config_file_group

Data type: String[1]

The faillock config group

Default value: 'root'

config_file_mode

Data type: Stdlib::Filemode

The faillock config mode

Default value: '0644'

config_file_template

Data type: String[1]

The faillock config template

Default value: 'pam/faillock.conf.erb'

config_file_source

Data type: Optional[Stdlib::Filesource]

The faillock config source

Default value: undef

dir

Data type: Stdlib::Absolutepath

The faillock 'dir' config option

Default value: '/var/run/faillock'

audit_enabled

Data type: Optional[Boolean]

The faillock 'audit' config option

Default value: undef

silent

Data type: Optional[Boolean]

The faillock 'silent' config option

Default value: undef

no_log_info

Data type: Optional[Boolean]

The faillock 'no_log_info' config option

Default value: undef

local_users_only

Data type: Optional[Boolean]

The faillock 'local_users_only' config option

Default value: undef

deny

Data type: Integer[0]

The faillock 'deny' config option

Default value: 3

fail_interval

Data type: Integer[0]

The faillock 'fail_interval' config option

Default value: 900

unlock_time

Data type: Integer[0]

The faillock 'unlock_time' config option

Default value: 600

even_deny_root

Data type: Optional[Boolean]

The faillock 'even_deny_root' config option

Default value: undef

root_unlock_time

Data type: Integer[0]

The faillock 'root_unlock_time' config option

Default value: $unlock_time

admin_group

Data type: Optional[String[1]]

The faillock 'admin_group' config option

Default value: undef

pam::limits

Manage PAM limits.conf

Examples

This class is included by the pam class for platforms which use it.

Parameters

The following parameters are available in the pam::limits class:

config_file

Data type: Stdlib::Absolutepath

Path to limits.conf.

Default value: '/etc/security/limits.conf'

config_file_mode

Data type: Stdlib::Filemode

Mode for config_file.

Default value: '0640'

config_file_lines

Data type: Optional[Array]

Ordered array of limits that should be placed into limits.conf. Useful for Suse 10 which does not use limits.d.

Default value: undef

config_file_source

Data type: Optional[String]

String with source path to a limits.conf

Default value: undef

limits_d_dir

Data type: Stdlib::Absolutepath

Path to limits.d directory.

Default value: '/etc/security/limits.d'

limits_d_dir_mode

Data type: Stdlib::Filemode

Mode for limits_d_dir.

Default value: '0750'

purge_limits_d_dir

Data type: Boolean

Boolean to purge the limits.d directory.

Default value: false

purge_limits_d_dir_ignore

Data type: Optional[Variant[String[1], Array[String[1]]]]

A glob or array of file names to ignore when purging limits.d

Default value: undef

pam::pwquality

Manage pwquality.conf

Examples

This class is included by the pam class for platforms which use it.

Parameters

The following parameters are available in the pam::pwquality class:

config_file

Data type: Stdlib::Absolutepath

Path to pwquality.conf.

Default value: '/etc/security/pwquality.conf'

config_file_owner

Data type: String[1]

Owner for pwquality.conf

Default value: 'root'

config_file_group

Data type: String[1]

Group for pwquality.conf

Default value: 'root'

config_file_mode

Data type: Stdlib::Filemode

Mode for config_file.

Default value: '0644'

config_file_source

Data type: Optional[Stdlib::Filesource]

String with source path to a pwquality.conf

Default value: undef

config_file_template

Data type: String[1]

Template to render pwquality.conf

Default value: 'pam/pwquality.conf.erb'

config_d_dir

Data type: Stdlib::Absolutepath

Path to pwquality.conf.d directory.

Default value: '/etc/security/pwquality.conf.d'

config_d_dir_owner

Data type: String[1]

Owner for pwquality.conf.d

Default value: 'root'

config_d_dir_group

Data type: String[1]

Group for pwquality.conf.d

Default value: 'root'

config_d_dir_mode

Data type: Stdlib::Filemode

Mode for pwquality.conf.d

Default value: '0755'

purge_config_d_dir

Data type: Boolean

Boolean to purge the pwquality.conf.d directory.

Default value: true

purge_config_d_dir_ignore

Data type: Optional[Variant[String[1], Array[String[1]]]]

A glob or array of file names to ignore when purging pwquality.conf.d

Default value: undef

difok

Data type: Integer[0]

The pwquality.conf 'difok' option

Default value: 1

minlen

Data type: Integer[6]

The pwquality.conf 'minlen' option

Default value: 8

dcredit

Data type: Integer

The pwquality.conf 'dcredit' option

Default value: 0

ucredit

Data type: Integer

The pwquality.conf 'ucredit' option

Default value: 0

lcredit

Data type: Integer

The pwquality.conf 'lcredit' option

Default value: 0

ocredit

Data type: Integer

The pwquality.conf 'ocredit' option

Default value: 0

minclass

Data type: Integer[0]

The pwquality.conf 'minclass' option

Default value: 0

maxrepeat

Data type: Integer[0]

The pwquality.conf 'maxrepeat' option

Default value: 0

maxsequence

Data type: Integer[0]

The pwquality.conf 'maxsequence' option

Default value: 0

maxclassrepeat

Data type: Integer[0]

The pwquality.conf 'maxclassrepeat' option

Default value: 0

gecoscheck

Data type: Integer[0]

The pwquality.conf 'gecoscheck' option

Default value: 0

dictcheck

Data type: Integer[0]

The pwquality.conf 'dictcheck' option

Default value: 1

usercheck

Data type: Integer[0]

The pwquality.conf 'usercheck' option

Default value: 1

usersubstr

Data type: Integer[0]

The pwquality.conf 'usersubstr' option

Default value: 0

enforcing

Data type: Integer[0]

The pwquality.conf 'enforcing' option

Default value: 1

badwords

Data type: Optional[Array[String[1]]]

The pwquality.conf 'badwords' option

Default value: undef

dictpath

Data type: Optional[Stdlib::Absolutepath]

The pwquality.conf 'dictpath' option

Default value: undef

retry

Data type: Integer[0]

The pwquality.conf 'retry' option

Default value: 1

enforce_for_root

Data type: Optional[Boolean]

The pwquality.conf 'enforce_for_root' option

Default value: undef

local_users_only

Data type: Optional[Boolean]

The pwquality.conf 'local_users_only' option

Default value: undef

Defined types

pam::limits::fragment

Places a fragment in $limits_d_dir directory One of the parameters source or list must be set.

Examples

pam::limits::fragment { 'nproc':
  source => 'puppet:///modules/pam/limits.nproc',
}

Parameters

The following parameters are available in the pam::limits::fragment defined type:

ensure

Data type: Enum['file', 'present', 'absent']

Ensure attribute for the fragment file.

Default value: 'file'

source

Data type: Optional[String]

Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'

Default value: undef

list

Data type: Optional[Array]

Array of lines to add to the fragment file.

Default value: undef

pam::service

reversible, so that any service that Puppet has locked using PAM can be unlocked by setting the resource ensure to absent and waiting for the next puppet run.

Examples

pam::service { 'sudo':
  content => 'auth     required       pam_unix2.so',
}

Parameters

The following parameters are available in the pam::service defined type:

ensure

Data type: Enum['present', 'absent']

Specifies if a PAM service file should (present) or should not (absent) exist. The default is set to 'present'

Default value: 'present'

pam_config_dir

Data type: Stdlib::Absolutepath

Path to PAM files.

Default value: '/etc/pam.d'

content

Data type: Optional[String]

Content of the PAM file for the service. The content and lines parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.

Default value: undef

lines

Data type: Optional[Array]

Provides content for the PAM service file as an array of lines. The content and lines parameters are mutually exclusive. Not setting either of these parameters will result in an empty service definition file.

Default value: undef