Documentation by YARD 0.9.34
+Documentation by YARD 0.9.36
Alphabetic Index
@@ -78,11 +78,21 @@Puppet Class Listing A-Z
+What pam affects
The management of /etc/security/access.conf can be controlled by the pam::manage_accesslogin parameter (enabled by default).
The management of /etc/security/faillock.conf can be controlled by the pam::manage_faillock parameter (disabled by default).
The management of /etc/security/pwquality.conf and /etc/security/pwquality.conf.d can be controlled by the pam::manage_pwquality parameter (disabled by default).
Setup requirements
This module requires stdlib. When deployed by default it will require nsswitch. See below for more information.
SSSD
This module has been deployed in production along with sgnl05/sssd. Please see examples/hiera/sssd/RedHat-6.yaml file for an example with the additional SSSD entries added via hiera.
pwquality
- -An example of using pam_pwquality can be found in the examples/hiera/pwquality.yaml.
Beginning with pam
Include the main pam class.
Example:
content : 'auth required pam_unix2.so' +Manage faillock
+ +Management of faillock and faillock.conf is enabled via pam::manage_faillock.
The following example would enable faillock, configure it, and add it to the PAM stack.
+ +pam::manage_faillock: true
+pam::faillock::deny: 3
+pam::pam_auth_lines:
+ - 'auth required pam_env.so'
+ - 'auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900'
+ - 'auth sufficient pam_unix.so try_first_pass nullok'
+ - 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'
+ - 'auth required pam_deny.so'
+pam::pam_account_lines:
+ - 'account required pam_faillock.so'
+ - 'account required pam_unix.so'
+pam::pam_password_auth_lines:
+ - 'auth required pam_env.so'
+ - 'auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900'
+ - 'auth sufficient pam_unix.so try_first_pass nullok'
+ - 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'
+ - 'auth required pam_deny.so'
+pam::pam_password_account_lines:
+ - 'account required pam_faillock.so'
+ - 'account required pam_unix.so'
+Manage pwquality
+ +Management of pwquality and pwquality.conf is enabled via pam::manage_pwquality.
The following example would enable pwquality, configure it, and add it to the PAM stack.
+ +pam::manage_pwquality: true
+pam::pwquality::retry: 3
+pam::pwquality::maxclassrepeat: 4
+pam::pwquality::maxrepeat: 3
+pam::pwquality::minclass: 4
+pam::pwquality::difok: 8
+pam::pwquality::minlen: 15
+pam::pam_password_lines:
+ - 'password requisite pam_pwquality.so try_first_pass local_users_only difok=3 minlen=15 dcredit= 2 ocredit=2'
+ - 'password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow'
+ - 'password required pam_deny.so'
+pam::pam_password_password_lines:
+ - 'password requisite pam_pwquality.so try_first_pass local_users_only difok=3 minlen=15 dcredit= 2 ocredit=2'
+ - 'password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow'
+ - 'password required pam_deny.so'
+Usage
Minimal and normal usage.
diff --git a/frames.html b/frames.html index 4f918f5..53734c2 100644 --- a/frames.html +++ b/frames.html @@ -2,13 +2,18 @@ -Overview
+
+
+
+ Controls whether to manage faillock.conf
+
+
+
+ Controls whether to manage pwquality.conf and pwquality.conf.d
+Overview
-194 -195 -196 -197 -198 -199 200 201 202 @@ -1203,10 +1233,26 @@+378 +379 +380 +381 +382 +383 +384 +385 +386 +387 +388 +389 +390 +391 +392 +393 +394Overview
375 376 377 -378
# File 'manifests/init.pp', line 194 +# File 'manifests/init.pp', line 200 class pam ( Variant[Array, Hash, String] $allowed_users = 'root', @@ -1220,6 +1266,8 @@Overview
Optional[Hash] $services = undef, Optional[Hash] $limits_fragments = undef, Boolean $limits_fragments_hiera_merge = false, + Boolean $manage_faillock = false, + Boolean $manage_pwquality = false, Array $pam_d_login_oracle_options = [], Stdlib::Absolutepath $pam_d_login_path = '/etc/pam.d/login', String $pam_d_login_owner = 'root', @@ -1328,6 +1376,14 @@Overview
} } + if $manage_faillock { + include pam::faillock + } + + if $manage_pwquality { + include pam::pwquality + } + if $manage_nsswitch { include nsswitch } diff --git a/puppet_classes/pam_3A_3Aaccesslogin.html b/puppet_classes/pam_3A_3Aaccesslogin.html index 3c5504e..2eff398 100644 --- a/puppet_classes/pam_3A_3Aaccesslogin.html +++ b/puppet_classes/pam_3A_3Aaccesslogin.html @@ -6,7 +6,7 @@Puppet Class: pam::accesslogin - — Documentation by YARD 0.9.34 + — Documentation by YARD 0.9.36 diff --git a/puppet_classes/pam_3A_3Afaillock.html b/puppet_classes/pam_3A_3Afaillock.html new file mode 100644 index 0000000..dce773e --- /dev/null +++ b/puppet_classes/pam_3A_3Afaillock.html @@ -0,0 +1,499 @@ + + + + + ++ Puppet Class: pam::faillock + + — Documentation by YARD 0.9.36 + + + + + + + + + + + + + + + + + + + +++ + \ No newline at end of file diff --git a/puppet_classes/pam_3A_3Alimits.html b/puppet_classes/pam_3A_3Alimits.html index 41b79fc..75a4f0e 100644 --- a/puppet_classes/pam_3A_3Alimits.html +++ b/puppet_classes/pam_3A_3Alimits.html @@ -6,7 +6,7 @@+ + ++ ++ + + + + + ++ ++ + + +Puppet Class: pam::faillock
++ + ++ ++
+- Defined in:
+- + manifests/faillock.pp +
+Summary
+ Manage faillock.conf + +Overview
+++ + + ++ +++++
++ ++ ++ + +38 +39 +40 +41 +42 +43 +44 +45 +46 +47 +48 +49 +50 +51 +52 +53 +54 +55 +56 +57 +58 +59 +60 +61 +62 +63 +64 +65 +66 +67 +68 +69 +70 +71 +72 +73 +74 +75++ +# File 'manifests/faillock.pp', line 38 + +class pam::faillock ( + Stdlib::Absolutepath $config_file = '/etc/security/faillock.conf', + String[1] $config_file_owner = 'root', + String[1] $config_file_group = 'root', + Stdlib::Filemode $config_file_mode = '0644', + String[1] $config_file_template = 'pam/faillock.conf.erb', + Optional[Stdlib::Filesource] $config_file_source = undef, + Stdlib::Absolutepath $dir = '/var/run/faillock', + Optional[Boolean] $audit_enabled = undef, + Optional[Boolean] $silent = undef, + Optional[Boolean] $no_log_info = undef, + Optional[Boolean] $local_users_only = undef, + Integer[0] $deny = 3, + Integer[0] $fail_interval = 900, + Integer[0] $unlock_time = 600, + Optional[Boolean] $even_deny_root = undef, + Integer[0] $root_unlock_time = $unlock_time, + Optional[String[1]] $admin_group = undef, +) { + include pam + + if $config_file_source { + $_config_file_content = undef + } else { + $_config_file_content = template($config_file_template) + } + + file { 'faillock.conf': + ensure => 'file', + path => $config_file, + owner => $config_file_owner, + group => $config_file_group, + mode => $config_file_mode, + content => $_config_file_content, + source => $config_file_source, + require => Package[$pam::package_name], + } +}+Puppet Class: pam::limits - — Documentation by YARD 0.9.34 + — Documentation by YARD 0.9.36 diff --git a/puppet_classes/pam_3A_3Apwquality.html b/puppet_classes/pam_3A_3Apwquality.html new file mode 100644 index 0000000..dc656b4 --- /dev/null +++ b/puppet_classes/pam_3A_3Apwquality.html @@ -0,0 +1,831 @@ + + + + + ++ Puppet Class: pam::pwquality + + — Documentation by YARD 0.9.36 + + + + + + + + + + + + + + + + + + + +++ + \ No newline at end of file diff --git a/puppet_defined_types/pam_3A_3Alimits_3A_3Afragment.html b/puppet_defined_types/pam_3A_3Alimits_3A_3Afragment.html index b7af614..99de4b5 100644 --- a/puppet_defined_types/pam_3A_3Alimits_3A_3Afragment.html +++ b/puppet_defined_types/pam_3A_3Alimits_3A_3Afragment.html @@ -6,7 +6,7 @@+ + ++ ++ + + + + + ++ ++ + + +Puppet Class: pam::pwquality
++ + ++ ++
+- Defined in:
+- + manifests/pwquality.pp +
+Summary
+ Manage pwquality.conf + +Overview
+++ + + ++ +++++
++ ++ ++ + +72 +73 +74 +75 +76 +77 +78 +79 +80 +81 +82 +83 +84 +85 +86 +87 +88 +89 +90 +91 +92 +93 +94 +95 +96 +97 +98 +99 +100 +101 +102 +103 +104 +105 +106 +107 +108 +109 +110 +111 +112 +113 +114 +115 +116 +117 +118 +119 +120 +121 +122 +123 +124 +125 +126 +127 +128 +129 +130 +131 +132 +133 +134 +135 +136++ +# File 'manifests/pwquality.pp', line 72 + +class pam::pwquality ( + Stdlib::Absolutepath $config_file = '/etc/security/pwquality.conf', + String[1] $config_file_owner = 'root', + String[1] $config_file_group = 'root', + Stdlib::Filemode $config_file_mode = '0644', + Optional[Stdlib::Filesource] $config_file_source = undef, + String[1] $config_file_template = 'pam/pwquality.conf.erb', + Stdlib::Absolutepath $config_d_dir = '/etc/security/pwquality.conf.d', + String[1] $config_d_dir_owner = 'root', + String[1] $config_d_dir_group = 'root', + Stdlib::Filemode $config_d_dir_mode = '0755', + Boolean $purge_config_d_dir = true, + Optional[Variant[String[1], Array[String[1]]]] $purge_config_d_dir_ignore = undef, + Integer[0] $difok = 1, + Integer[6] $minlen = 8, + Integer $dcredit = 0, + Integer $ucredit = 0, + Integer $lcredit = 0, + Integer $ocredit = 0, + Integer[0] $minclass = 0, + Integer[0] $maxrepeat = 0, + Integer[0] $maxsequence = 0, + Integer[0] $maxclassrepeat = 0, + Integer[0] $gecoscheck = 0, + Integer[0] $dictcheck = 1, + Integer[0] $usercheck = 1, + Integer[0] $usersubstr = 0, + Integer[0] $enforcing = 1, + Optional[Array[String[1]]] $badwords = undef, + Optional[Stdlib::Absolutepath] $dictpath = undef, + Integer[0] $retry = 1, + Optional[Boolean] $enforce_for_root = undef, + Optional[Boolean] $local_users_only = undef, +) { + include pam + + if $config_file_source { + $_config_file_content = undef + } else { + $_config_file_content = template($config_file_template) + } + + file { 'pwquality.conf': + ensure => 'file', + path => $config_file, + owner => $config_file_owner, + group => $config_file_group, + mode => $config_file_mode, + source => $config_file_source, + content => $_config_file_content, + require => Package[$pam::package_name], + } + + file { 'pwquality.conf.d': + ensure => 'directory', + path => $config_d_dir, + owner => $config_d_dir_owner, + group => $config_d_dir_group, + mode => $config_d_dir_mode, + purge => $purge_config_d_dir, + recurse => $purge_config_d_dir, + ignore => $purge_config_d_dir_ignore, + require => Package[$pam::package_name], + } +}+Defined Type: pam::limits::fragment - — Documentation by YARD 0.9.34 + — Documentation by YARD 0.9.36 diff --git a/puppet_defined_types/pam_3A_3Aservice.html b/puppet_defined_types/pam_3A_3Aservice.html index 5ee985b..9f908d4 100644 --- a/puppet_defined_types/pam_3A_3Aservice.html +++ b/puppet_defined_types/pam_3A_3Aservice.html @@ -6,7 +6,7 @@Defined Type: pam::service - — Documentation by YARD 0.9.34 + — Documentation by YARD 0.9.36 diff --git a/top-level-namespace.html b/top-level-namespace.html index 0333ff1..5d6b54b 100644 --- a/top-level-namespace.html +++ b/top-level-namespace.html @@ -6,7 +6,7 @@Top Level Namespace - — Documentation by YARD 0.9.34 + — Documentation by YARD 0.9.36