diff --git a/README.md b/README.md index 87a8fba..5c60ca1 100644 --- a/README.md +++ b/README.md @@ -279,6 +279,7 @@ module aims to support the current and previous major Puppet versions. * Debian 11 * Ubuntu 20.04 LTS * Ubuntu 22.04 LTS + * Ubuntu 24.04 LTS ### May work diff --git a/data/os/Ubuntu/24.04.yaml b/data/os/Ubuntu/24.04.yaml new file mode 100644 index 0000000..ca68164 --- /dev/null +++ b/data/os/Ubuntu/24.04.yaml @@ -0,0 +1,34 @@ +--- +pam::common_files_create_links: false +pam::common_files_suffix: ~ +pam::common_files: + - common_account + - common_auth + - common_password + - common_session + - common_session_noninteractive + +pam::sshd_pam_access: absent +pam::pam_d_login_template: pam/login.ubuntu24.erb +pam::pam_d_sshd_template: pam/sshd.ubuntu24.erb +pam::package_name: libpam0g +pam::pam_auth_lines: + - 'auth [success=1 default=ignore] pam_unix.so nullok' + - 'auth requisite pam_deny.so' + - 'auth required pam_permit.so' + - 'auth optional pam_cap.so' +pam::pam_account_lines: + - 'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so' + - 'account requisite pam_deny.so' + - 'account required pam_permit.so' +pam::pam_password_lines: + - 'password [success=1 default=ignore] pam_unix.so obscure yescrypt' + - 'password requisite pam_deny.so' + - 'password required pam_permit.so' +pam::pam_session_lines: + - 'session [default=1] pam_permit.so' + - 'session requisite pam_deny.so' + - 'session required pam_permit.so' + - 'session optional pam_umask.so' + - 'session required pam_unix.so' + - 'session optional pam_systemd.so' diff --git a/manifests/init.pp b/manifests/init.pp index fc5f78b..fa44d33 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -270,8 +270,8 @@ fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10 or 11") } - if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) { - fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04, 20.04 or 22.04") + if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04', '24.04']) { + fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04, 20.04, 22.04 or 24.04") } if $pam_d_sshd_template == 'pam/sshd.custom.erb' { diff --git a/metadata.json b/metadata.json index 496a34f..b51a566 100644 --- a/metadata.json +++ b/metadata.json @@ -84,7 +84,8 @@ "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "20.04", - "22.04" + "22.04", + "24.04" ] } ], diff --git a/spec/acceptance/nodesets/ubuntu-2404.yml b/spec/acceptance/nodesets/ubuntu-2404.yml new file mode 100644 index 0000000..b9a4e2b --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu-2404.yml @@ -0,0 +1,24 @@ +HOSTS: + ubuntu2404: + roles: + - agent + platform: ubuntu-24.04-amd64 + hypervisor : docker + image: ubuntu:24.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - "rm -f /etc/dpkg/dpkg.cfg.d/excludes" + - 'apt-get install -y wget net-tools iproute2 locales apt-transport-https ca-certificates' + - 'locale-gen en_US.UTF-8' + docker_env: + - LANG=en_US.UTF-8 + - LANGUAGE=en_US.UTF-8 + - LC_ALL=en_US.UTF-8 + docker_container_name: 'pam-ubuntu2404' +CONFIG: + log_level: debug + type: foss +ssh: + password: root + auth_methods: ["password"] diff --git a/templates/login.ubuntu24.erb b/templates/login.ubuntu24.erb new file mode 100644 index 0000000..6a09e6a --- /dev/null +++ b/templates/login.ubuntu24.erb @@ -0,0 +1,18 @@ +auth optional pam_faildelay.so delay=3000000 +auth requisite pam_nologin.so +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 envfile=/etc/default/locale +@include common-auth +auth optional pam_group.so +session required pam_limits.so +session optional pam_lastlog.so +session optional pam_mail.so standard +session optional pam_keyinit.so force revoke +@include common-account +@include common-session +@include common-password diff --git a/templates/sshd.ubuntu24.erb b/templates/sshd.ubuntu24.erb new file mode 100644 index 0000000..4cce9a2 --- /dev/null +++ b/templates/sshd.ubuntu24.erb @@ -0,0 +1,18 @@ +@include common-auth +account required pam_nologin.so +<% if @sshd_pam_access != 'absent' -%> +account <%= @sshd_pam_access %> pam_access.so +<% end -%> +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +@include common-session +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate +session optional pam_mail.so standard noenv # [1] +session required pam_limits.so +session required pam_env.so # [1] +session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +@include common-password