This module manages PAM including accesslogin and limits.conf with functionality to create limits fragments for use in other modules.
===
This module has been tested to work on the following systems using Puppet v3 with Ruby versions 1.8.7, 1.9.3, and 2.0.0.
- EL 5
- EL 6
- Solaris 9
- Solaris 10
- Solaris 11
- Suse 9
- Suse 10
- Suse 11
- Ubuntu 12.04 LTS
===
Array or Hash of strings and/or arrays to configure users and origins in access.conf. The default allows the root user/group from origin 'ALL'.
- Default: 'root'
# as an array where the origin for each is 'ALL' pam::allowed_users: - root - ops - devs
This would create /etc/security/access.conf with the following content.
# This file is being maintained by Puppet. # DO NOT EDIT # #allow only the groups listed + : root : ALL + : ops : ALL + : devs : ALL
# as a hash where the user/group can optionally specify the origin pam::allowed_users: 'username': 'username1': - 'cron' - 'tty0' 'username2': 'tty1'
This would create /etc/security/access.conf with the following content.
# This file is being maintained by Puppet. # DO NOT EDIT # #allow only the groups listed + : username : ALL + : username1 : cron tty0 + : username2 : tty1
Hash of fragments to pass to pam::limits::fragments
- Default: undef
String or Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Path to pam.conf
- Default: '/etc/pam.conf'
Allow array of extra lines at the bottom of pam.d/login for oracle systems on EL5.
- Default: UNSET
PAM login path
- Default: '/etc/pam.d/login'
Owner of $pam_d_login_path
- Default: 'root'
Group of $pam_d_login_path
- Default: 'root'
Mode of $pam_d_login_path
- Default: '0644'
Content template of $pam_d_login_path. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
PAM sshd path
- Default: '/etc/pam.d/sshd'
Owner of $pam_d_sshd_path
- Default: 'root'
Group of $pam_d_sshd_path
- Default: 'root'
Mode of $pam_d_sshd_path
- Default: '0644'
Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content for PAM auth. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content for PAM account. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content for PAM password. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content for PAM session. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Path to other. Used on Suse.
- Default: '/etc/pam.d/other'
Path to common-auth. Used on Suse.
- Default: '/etc/pam.d/common-auth'
Path to common-auth-pc. Used on Suse.
- Default: '/etc/pam.d/common-auth-pc'
Path to common-account. Used on Suse.
- Default: '/etc/pam.d/common-account'
Path to common-account-pc. Used on Suse.
- Default: '/etc/pam.d/common-account-pc'
Path to common-password. Used on Suse.
- Default: '/etc/pam.d/common-password'
Path to common-password-pc. Used on Suse.
- Default: '/etc/pam.d/common-password-pc'
Path to common-session. Used on Suse.
- Default: '/etc/pam.d/common-session'
Path to common-session-pc. Used on Suse.
- Default: '/etc/pam.d/common-session-pc'
Path to common-session-noninteractive, which is the same as common-session-pc used on Suse. Used on Ubuntu 12.04 LTS.
- Default: '/etc/pam.d/common-session-noninteractive'
Path to system-auth. Used on RedHat.
- Default: '/etc/pam.d/system-auth'
Path to system-auth-ac. Used on RedHat.
- Default: '/etc/pam.d/system-auth-ac'
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
- Default: undef, default is set based on OS version
===
Manages login access See PAM_ACCESS(8)
Path to access.conf.
- Default: '/etc/security/access.conf'
Owner of access.conf.
- Default: 'root'
Group of access.conf.
- Default: 'root'
Mode of access.conf.
- Default: '0644'
Content template of access.conf.
- Default: 'pam/access.conf.erb'
===
Manage PAM limits.conf
Path to limits.conf
- Default: '/etc/security/limits.conf'
Mode for config_file.
- Default: '0640'
Path to limits.d directory
- Default: '/etc/security/limits.d'
Mode for limits_d_dir.
- Default: '0750'
===
Places a fragment in $limits_d_dir directory
Source or list must be set.
String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'
- Default: 'UNSET'
Array of lines to add to the fragment file
===
Manage PAM file for specific service
you can specify a hash for to manage the services in Hiera
pam::services: "sudo": content : "auth required pam_unix2.so"
Path to PAM files
- Default: '/etc/pam.d/'
Content of the PAM file for the service
===
pam::limits_fragments: custom: list: - '* soft nofile 2048' - '* hard nofile 8192' - '* soft as 3145728' - '* hard as 4194304' - '* hard maxlogins 300' - '* soft cpu 720' - '* hard cpu 1440'
This would create /etc/security/limits.d/custom.conf with content
# This file is being maintained by Puppet. # DO NOT EDIT * soft nofile 2048 * hard nofile 8192 * soft as 3145728 * hard as 4194304 * hard maxlogins 300 * soft cpu 720 * hard cpu 1440