Showing with 292 additions and 16 deletions.
  1. +1 −0 .gitignore
  2. +1 −1 Modulefile
  3. +5 −4 README.md
  4. +75 −3 manifests/init.pp
  5. +2 −2 manifests/limits.pp
  6. +3 −2 metadata.json
  7. +170 −1 spec/classes/init_spec.rb
  8. +3 −3 spec/classes/limits_spec.rb
  9. 0 spec/fixtures/manifests/site.pp
  10. +17 −0 templates/login.ubuntu14.erb
  11. +15 −0 templates/sshd.ubuntu14.erb
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,5 @@ doc/
# Puppet
coverage/
spec/fixtures/modules/*
spec/fixtures/manifests/*
Gemfile.lock
2 changes: 1 addition & 1 deletion Modulefile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name 'ghoneycutt-pam'
version '2.14.0'
version '2.15.0'
source 'git://github.com/ghoneycutt/puppet-module-pam.git'
author 'ghoneycutt'
license 'Apache-2.0'
Expand Down
9 changes: 5 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ This module has been tested to work on the following systems using Puppet v3 wit
* Suse 11
* Suse 12
* Ubuntu 12.04 LTS
* Ubuntu 14.04 LTS

EL no longer requires the `redhat-lsb` package.

Expand Down Expand Up @@ -180,25 +181,25 @@ Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS

pam_auth_lines
--------------
Content for PAM auth. If undef, parameter is set based on the OS version.
An ordered array of strings that define the content for PAM auth. If undef, parameter is set based on the OS version.

- *Default*: undef, default is set based on OS version

pam_account_lines
-----------------
Content for PAM account. If undef, parameter is set based on the OS version.
An ordered array of strings that define the content for PAM account. If undef, parameter is set based on the OS version.

- *Default*: undef, default is set based on OS version

pam_password_lines
------------------
Content for PAM password. If undef, parameter is set based on the OS version.
An ordered array of strings that define the content for PAM password. If undef, parameter is set based on the OS version.

- *Default*: undef, default is set based on OS version

pam_session_lines
-----------------
Content for PAM session. If undef, parameter is set based on the OS version.
An ordered array of strings that define the content for PAM session. If undef, parameter is set based on the OS version.

- *Default*: undef, default is set based on OS version

Expand Down
78 changes: 75 additions & 3 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,10 @@
'5': {
$default_pam_d_login_template = 'pam/login.el5.erb'
$default_pam_d_sshd_template = 'pam/sshd.el5.erb'
$default_package_name = [ 'pam',
'util-linux' ]
$default_package_name = [
'pam',
'util-linux',
]

if $ensure_vas == 'present' {
case $vas_major_version {
Expand Down Expand Up @@ -575,8 +577,78 @@
]
}
}
'14.04': {
$default_pam_d_login_template = 'pam/login.ubuntu14.erb'
$default_pam_d_sshd_template = 'pam/sshd.ubuntu14.erb'
$default_package_name = 'libpam0g'

if $ensure_vas == 'present' {
$default_pam_auth_lines = [
'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds',
'auth requisite pam_vas3.so echo_return',
'auth required pam_unix.so use_first_pass'
]

$default_pam_account_lines = [
'account sufficient pam_vas3.so',
'account requisite pam_vas3.so echo_return',
'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so',
'account requisite pam_deny.so',
'account required pam_permit.so'
]

$default_pam_password_lines = [
'password sufficient pam_vas3.so',
'password requisite pam_vas3.so echo_return',
'password [success=1 default=ignore] pam_unix.so obscure sha512',
'password requisite pam_deny.so',
'password required pam_permit.so'
]

$default_pam_session_lines = [
'session [default=1] pam_permit.so',
'session requisite pam_deny.so',
'session required pam_permit.so',
'session optional pam_umask.so',
'session required pam_vas3.so create_homedir',
'session requisite pam_vas3.so echo_return',
'session required pam_unix.so'
]

} else {

$default_pam_auth_lines = [
'auth [success=1 default=ignore] pam_unix.so nullok_secure',
'auth requisite pam_deny.so',
'auth required pam_permit.so',
'auth optional pam_cap.so'
]

$default_pam_account_lines = [
'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so',
'account requisite pam_deny.so',
'account required pam_permit.so'
]

$default_pam_password_lines = [
'password [success=1 default=ignore] pam_unix.so obscure sha512',
'password requisite pam_deny.so',
'password required pam_permit.so'
]

$default_pam_session_lines = [
'session [default=1] pam_permit.so',
'session requisite pam_deny.so',
'session required pam_permit.so',
'session optional pam_umask.so',
'session required pam_unix.so',
'session optional pam_systemd.so'
]
}
}
default: {
fail("Pam is only supported on Ubuntu 12.04. Your lsbdistrelease is identified as <${::lsbdistrelease}>.")
fail("Pam is only supported on Ubuntu 12.04 and 14.04. Your lsbdistrelease is identified as <${::lsbdistrelease}>.")
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions manifests/limits.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
mode => $limits_d_dir_mode,
purge => $purge_limits_d_dir_real,
recurse => $purge_limits_d_dir_real,
require => [ Package[$pam::my_package_name],
require => [ Package[$::pam::my_package_name],
Common::Mkdir_p[$limits_d_dir],
],
}
Expand All @@ -67,6 +67,6 @@
owner => 'root',
group => 'root',
mode => $config_file_mode,
require => Package[$pam::my_package_name],
require => Package[$::pam::my_package_name],
}
}
5 changes: 3 additions & 2 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ghoneycutt-pam",
"version": "2.14.0",
"version": "2.15.0",
"author": "ghoneycutt",
"summary": "Manage PAM",
"license": "Apache-2.0",
Expand Down Expand Up @@ -85,7 +85,8 @@
{
"operatingsystem": "Ubuntu",
"operatingsystemrelease": [
"12.04"
"12.04",
"14.04"
]
}
],
Expand Down
171 changes: 170 additions & 1 deletion spec/classes/init_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
it 'should fail' do
expect {
should contain_class('pam')
}.to raise_error(Puppet::Error,/Pam is only supported on Ubuntu 12.04. Your lsbdistrelease is identified as <10.04>./)
}.to raise_error(Puppet::Error,/Pam is only supported on Ubuntu 12.04 and 14.04. Your lsbdistrelease is identified as <10.04>./)
end
end

Expand Down Expand Up @@ -993,6 +993,175 @@
}
end

context 'with default params on Ubuntu 14.04 LTS' do
let :facts do
{
:lsbdistid => 'Ubuntu',
:osfamily => 'Debian',
:lsbdistrelease => '14.04',
}
end

it {
should contain_package('libpam0g').with({
'ensure' => 'installed',
})
}

it {
should contain_file('pam_common_auth').with({
'ensure' => 'file',
'path' => '/etc/pam.d/common-auth',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_common_auth').with_content("# This file is being maintained by Puppet.
# DO NOT EDIT
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
")
}

it {
should contain_file('pam_common_account').with({
'ensure' => 'file',
'path' => '/etc/pam.d/common-account',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_common_account').with_content("# This file is being maintained by Puppet.
# DO NOT EDIT
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
")
}

it {
should contain_file('pam_common_password').with({
'ensure' => 'file',
'path' => '/etc/pam.d/common-password',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_common_password').with_content("# This file is being maintained by Puppet.
# DO NOT EDIT
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
")
}

it { should contain_file('pam_common_noninteractive_session').with({
'ensure' => 'file',
'path' => '/etc/pam.d/common-session-noninteractive',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_common_noninteractive_session').with_content("# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
")
}

it { should contain_file('pam_common_session').with({
'ensure' => 'file',
'path' => '/etc/pam.d/common-session',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_common_session').with_content("# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
")
}

it {
should contain_file('pam_d_login').with({
'ensure' => 'file',
'path' => '/etc/pam.d/login',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_d_login').with_content("auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
")
}

it {
should contain_file('pam_d_sshd').with({
'ensure' => 'file',
'path' => '/etc/pam.d/sshd',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_d_sshd').with_content("@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
")
}
end

context 'with default params on osfamily Suse with lsbmajdistrelease 9' do
let :facts do
{
Expand Down
6 changes: 3 additions & 3 deletions spec/classes/limits_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
'owner' => 'root',
'group' => 'root',
'mode' => '0640',
'require' => [ 'Package[pam]', ],
'require' => 'Package[pam]',
})
}

Expand Down Expand Up @@ -104,7 +104,7 @@
'owner' => 'root',
'group' => 'root',
'mode' => '0640',
'require' => [ 'Package[pam]', ],
'require' => 'Package[pam]',
})
}

Expand Down Expand Up @@ -161,7 +161,7 @@
'owner' => 'root',
'group' => 'root',
'mode' => '0640',
'require' => [ 'Package[pam]', ],
'require' => 'Package[pam]',
})
}

Expand Down
Empty file removed spec/fixtures/manifests/site.pp
View file
Empty file.
Loading