.fixtures.yml

@@ -0,0 +1,6 @@
+fixtures:
+  repositories:
+    "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+    "nsswitch": "git://github.com/ghoneycutt/puppet-module-nsswitch.git"
+  symlinks:
+    "pam": "#{source_dir}"

.gitignore

@@ -1,3 +1,4 @@
+# Default .gitignore for Ruby
 *.gem
 *.rbc
 .bundle
@@ -16,3 +17,14 @@ tmp
 .yardoc
 _yardoc
 doc/
+
+# Vim
+*.swp
+
+# OS X
+.DS_Store
+
+# Puppet
+metadata.json
+coverage/
+spec/fixtures/modules/*

.travis.yml

@@ -0,0 +1,17 @@
+---
+env:
+- PUPPET_VERSION=2.7.23
+- PUPPET_VERSION=3.2.4
+notifications:
+email: false
+rvm:
+- 1.9.3
+- 1.8.7
+matrix:
+  allow_failures:
+  - env: PUPPET_VERSION=2.7.23
+  - rvm: 1.9.3
+language: ruby
+before_script: "gem install --no-ri --no-rdoc bundler"
+script: 'bundle exec rake validate && bundle exec rake lint && SPEC_OPTS="--format documentation" bundle exec rake spec'
+gemfile: Gemfile

CHANGELOG

@@ -0,0 +1,2 @@
+2.0.0 - 2013-05-16 Garrett Honeycutt <code@garretthoneycutt.com>
+* Rebirth of ghoneycutt/pam

Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 2.7']
+gem 'puppet', puppetversion
+gem 'puppetlabs_spec_helper', '>= 0.1.0'
+gem 'puppet-lint', '>= 0.3.2'
+gem 'facter', '>= 1.7.0', "< 1.8.0"

LICENSE

@@ -0,0 +1,13 @@
+Copyright (C) 2010-2013 Garrett Honeycutt <code@garretthoneycutt.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

Modulefile

@@ -0,0 +1,10 @@
+name    'ghoneycutt-pam'
+version '2.1.0'
+source 'git://github.com/ghoneycutt/puppet-module-pam.git'
+author 'ghoneycutt'
+license 'Apache License, Version 2.0'
+summary 'Manage PAM'
+description 'Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments'
+project_page 'https://github.com/ghoneycutt/puppet-module-pam'
+
+dependency 'ghoneycutt/nsswitch', '>= 0.0.1'

README.md

@@ -1,4 +1,238 @@
-puppet-module-pam
-=================
+# pam module
 
-Puppet module to manage PAM
+
+[![Build Status](
+https://api.travis-ci.org/ghoneycutt/puppet-module-pam.png?branch=master)](https://travis-ci.org/ghoneycutt/puppet-module-pam)
+
+This module manages PAM including accesslogin and limits.conf with functionality to create limits fragments for use in other modules.
+
+===
+
+# Compatibility
+
+This module has been tested to work on the following systems using Puppet v3 and Ruby 1.8.7
+
+ * EL 5
+ * EL 6
+ * Solaris 10
+
+===
+
+# Parameters
+
+## class pam
+
+
+allowed_users
+-------------
+Array of users allowed to log in.
+
+- *Default*: root
+
+package_name
+------------
+Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+pam_conf_file
+-------------
+Path to pam.conf
+
+- *Default*: '/etc/pam.conf'
+
+pam_d_login_oracle_options
+--------------------------
+Allow array of extra lines at the bottom of pam.d/login for oracle systems on EL5.
+
+- *Default*: UNSET
+
+pam_d_login_path
+----------------
+PAM login path
+
+- *Default*: '/etc/pam.d/login'
+
+pam_d_login_owner
+-----------------
+Owner of $pam_d_login_path
+
+- *Default*: 'root'
+
+pam_d_login_group
+-----------------
+Group of $pam_d_login_path
+
+- *Default*: 'root'
+
+pam_d_login_mode
+----------------
+Mode of $pam_d_login_path
+
+- *Default*: '0644'
+
+pam_d_login_template
+--------------------
+Content template of $pam_d_login_path. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+pam_d_sshd_path
+---------------
+PAM sshd path
+
+- *Default*: '/etc/pam.d/sshd'
+
+pam_d_sshd_owner
+----------------
+Owner of $pam_d_sshd_path
+
+- *Default*: 'root'
+
+pam_d_sshd_group
+----------------
+Group of $pam_d_sshd_path
+
+- *Default*: 'root'
+
+pam_d_sshd_mode
+---------------
+Mode of $pam_d_sshd_path
+
+- *Default*: '0644'
+
+pam_d_sshd_template
+-------------------
+Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+pam_auth_lines
+-------------------------
+Content for PAM auth. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+pam_account_lines
+----------------------------
+Content for PAM account. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+pam_password_lines
+-----------------------------
+Content for PAM password. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+pam_session_lines
+----------------------------
+Content for PAM session. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+system_auth_file
+----------------
+Path to system-auth.
+
+- *Default*: '/etc/pam.d/system-auth'
+
+system_auth_ac_file
+-------------------
+Path to system-auth-ac
+
+- *Default*: '/etc/pam.d/system-auth-ac'
+
+system_auth_ac_auth_lines
+-------------------------
+Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+system_auth_ac_account_lines
+----------------------------
+Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+system_auth_ac_password_lines
+-----------------------------
+Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+system_auth_ac_session_lines
+----------------------------
+Content template of $system_auth_ac_file. If undef, parameter is set based on the OS version.
+
+- *Default*: undef, default is set based on OS version
+
+===
+
+# define pam::accesslogin
+Manages login access
+See PAM_ACCESS(8)
+
+## Parameters for `pam::accesslogin` define
+
+access_conf_path
+----------------
+Path to access.conf.
+
+- *Default*: '/etc/security/access.conf'
+
+access_conf_owner
+-----------------
+Owner of access.conf.
+
+- *Default*: 'root'
+
+access_conf_group
+-----------------
+Group of access.conf.
+
+- *Default*: 'root'
+
+access_conf_mode
+----------------
+Mode of access.conf.
+
+- *Default*: '0644'
+
+access_conf_template
+--------------------
+Content template of access.conf.
+
+- *Default*: 'pam/access.conf.erb'
+
+===
+
+# pam::limits define
+Manage PAM limits.conf
+
+## Parameters for `pam::limits` define
+
+config_file
+-----------
+Path to limits.conf
+
+- *Default*: '/etc/security/limits.conf'
+
+limits_d_dir
+------------
+Path to limits.d directory
+
+- *Default*: '/etc/security/limits.d'
+
+===
+
+# pam::limits::fragment define
+Places a fragment in $limits_d_dir directory
+
+## Parameters for `pam::limits::fragment`
+
+source
+------
+String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'
+
+- *Required*

Rakefile

@@ -0,0 +1,12 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
+
+desc "Run puppet in noop mode and check for syntax errors."
+task :validate do
+   Dir['manifests/**/*.pp', 'tests/**/*.pp'].each do |path|
+     sh "puppet parser validate --noop #{path}"
+   end
+end

files/limits.conf

@@ -0,0 +1,53 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain>        <type>  <item>  <value>
+#
+#Where:
+#<domain> can be:
+#        - an user name
+#        - a group name, with @group syntax
+#        - the wildcard *, for default entry
+#        - the wildcard %, can be also used with %group syntax,
+#                 for maxlogin limit
+#
+#<type> can have the two values:
+#        - "soft" for enforcing the soft limits
+#        - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+#        - core - limits the core file size (KB)
+#        - data - max data size (KB)
+#        - fsize - maximum filesize (KB)
+#        - memlock - max locked-in-memory address space (KB)
+#        - nofile - max number of open files
+#        - rss - max resident set size (KB)
+#        - stack - max stack size (KB)
+#        - cpu - max CPU time (MIN)
+#        - nproc - max number of processes
+#        - as - address space limit (KB)
+#        - maxlogins - max number of logins for this user
+#        - maxsyslogins - max number of logins on the system
+#        - priority - the priority to run user process with
+#        - locks - max number of file locks the user can hold
+#        - sigpending - max number of pending signals
+#        - msgqueue - max memory used by POSIX message queues (bytes)
+#        - nice - max nice priority allowed to raise to values: [-20, 19]
+#        - rtprio - max realtime priority
+#
+#<domain>      <type>  <item>         <value>
+#
+
+#*               soft    core            0
+#*               hard    rss             10000
+#@student        hard    nproc           20
+#@faculty        soft    nproc           20
+#@faculty        hard    nproc           50
+#ftp             hard    nproc           0
+#@student        -       maxlogins       4
+
+# End of file