From 01c2db7827eb04298290edcc45c86bc8458b402f Mon Sep 17 00:00:00 2001
From: Jesse Adelman <jesse@ripple.com>
Date: Thu, 21 Jan 2016 11:48:05 -0800
Subject: [PATCH 1/3] Enable pam_pwquality in rhel-family > 7.

---
 recipes/pam.rb | 80 +++++++++++++++++++++++++++-----------------------
 1 file changed, 43 insertions(+), 37 deletions(-)

diff --git a/recipes/pam.rb b/recipes/pam.rb
index a19b9ead..36a7c7eb 100644
--- a/recipes/pam.rb
+++ b/recipes/pam.rb
@@ -26,7 +26,7 @@
 end
 
 case node['platform_family']
-# do pam config for ubuntu
+  # do pam config for ubuntu
 when 'debian'
 
   passwdqc_path = '/usr/share/pam-configs/passwdqc'
@@ -54,7 +54,7 @@
       group 'root'
     end
 
-  # deactivate passwdqc
+    # deactivate passwdqc
   else
 
     # delete passwdqc file on ubuntu and debian
@@ -92,7 +92,7 @@
     command 'pam-auth-update --package'
   end
 
-# do config for rhel-family
+  # do config for rhel-family
 when 'rhel', 'fedora'
 
   # we do not allow to use authconfig, because it does not use the /etc/sysconfig/authconfig as a basis
@@ -100,45 +100,51 @@
   # @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify
 
   if node['auth']['pam']['passwdqc']['enable']
-
-    # remove pam_cracklib, because it does not play nice wiht passwdqc
-    package 'pam-cracklib' do
-      package_name node['packages']['pam_cracklib']
-      action :remove
-    end
-
-    # get the package for strong password checking
-    package 'pam-passwdqc' do
-      package_name node['packages']['pam_passwdqc']
+    if node[:platform_version] < 7
+      # remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7
+      package 'pam-cracklib' do
+	package_name node['packages']['pam_cracklib']
+	action :remove
+      end
+
+      # get the package for strong password checking
+      package 'pam-passwdqc' do
+	package_name node['packages']['pam_passwdqc']
+      end
+
+      # deactivate passwdqc
+    else
+
+      # make sure the package is not on the system,
+      # if this feature is not wanted
+      package 'pam-passwdqc' do
+	package_name node['packages']['pam_passwdqc']
+	action :remove
+      end
     end
-
-  # deactivate passwdqc
   else
 
-    # make sure the package is not on the system,
-    # if this feature is not wanted
-    package 'pam-passwdqc' do
-      package_name node['packages']['pam_passwdqc']
-      action :remove
+    # In RH-family distros > 7, 'pam_pwquality' contains both pam_cracklib and pam_passwdqc
+    # See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/
+    package 'pam_pwquality' do
+      package_name node['packages']['pam_pwquality']
     end
-  end
-
-  # run the standard config
+    # run the standard config
 
-  # configure passwdqc and tally via central system-auth confic:
-  template '/etc/pam.d/system-auth-ac' do
-    source 'rhel_system_auth.erb'
-    mode 0640
-    owner 'root'
-    group 'root'
-  end
+    # configure passwdqc and tally via central system-auth confic:
+    template '/etc/pam.d/system-auth-ac' do
+      source 'rhel_system_auth.erb'
+      mode 0640
+      owner 'root'
+      group 'root'
+    end
 
-  # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
-  template '/etc/libuser.conf' do
-    source 'rhel_libuser.conf.erb'
-    mode 0640
-    owner 'root'
-    group 'root'
+    # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
+    template '/etc/libuser.conf' do
+      source 'rhel_libuser.conf.erb'
+      mode 0640
+      owner 'root'
+      group 'root'
+    end
   end
-
 end

From 6dfa8c036b134a70eda2e9eac5a119ab78a4a0d1 Mon Sep 17 00:00:00 2001
From: Jesse Adelman <jesse@ripple.com>
Date: Thu, 21 Jan 2016 12:15:50 -0800
Subject: [PATCH 2/3] Fix bad string vs. floating point number comparison.

---
 recipes/pam.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes/pam.rb b/recipes/pam.rb
index 36a7c7eb..c64c12fb 100644
--- a/recipes/pam.rb
+++ b/recipes/pam.rb
@@ -100,7 +100,7 @@
   # @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify
 
   if node['auth']['pam']['passwdqc']['enable']
-    if node[:platform_version] < 7
+    if node['platform_version'].to_f < 7
       # remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7
       package 'pam-cracklib' do
 	package_name node['packages']['pam_cracklib']

From b5f3d81d0d9f5735dcaab9e6d44e15f1799e4253 Mon Sep 17 00:00:00 2001
From: Jesse Adelman <jesse@ripple.com>
Date: Thu, 21 Jan 2016 12:34:09 -0800
Subject: [PATCH 3/3] Fix tabs vs. spaces, 2 space indents.

---
 recipes/pam.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/recipes/pam.rb b/recipes/pam.rb
index c64c12fb..daebef43 100644
--- a/recipes/pam.rb
+++ b/recipes/pam.rb
@@ -103,13 +103,13 @@
     if node['platform_version'].to_f < 7
       # remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7
       package 'pam-cracklib' do
-	package_name node['packages']['pam_cracklib']
-	action :remove
+        package_name node['packages']['pam_cracklib']
+        action :remove
       end
 
       # get the package for strong password checking
       package 'pam-passwdqc' do
-	package_name node['packages']['pam_passwdqc']
+        package_name node['packages']['pam_passwdqc']
       end
 
       # deactivate passwdqc
@@ -118,8 +118,8 @@
       # make sure the package is not on the system,
       # if this feature is not wanted
       package 'pam-passwdqc' do
-	package_name node['packages']['pam_passwdqc']
-	action :remove
+        package_name node['packages']['pam_passwdqc']
+        action :remove
       end
     end
   else