README.md

@@ -27,6 +27,7 @@ only), 1.9.3, 2.0.0 and 2.1.0.
  * OpenSuSE 13.1
  * Ubuntu 12.04 LTS
  * Ubuntu 14.04 LTS
+ * Debian 8.2
 
 EL no longer requires the `redhat-lsb` package.
 
@@ -485,4 +486,3 @@ This would create /etc/security/limits.d/custom.conf with content
 * soft cpu 720
 * hard cpu 1440
 </pre>
-

manifests/init.pp

@@ -691,8 +691,52 @@
             }
           }
         }
+        'Debian': {
+          case $::lsbdistrelease {
+            '8.2': {
+
+              if $ensure_vas == 'present' {
+                fail("Pam: vas is not supported on ${::osfamily} ${::lsbdistrelease}")
+              }
+              $default_pam_d_login_template = 'pam/login.debian8.erb'
+              $default_pam_d_sshd_template  = 'pam/sshd.debian8.erb'
+              $default_package_name         = 'libpam0g'
+
+
+              $default_pam_auth_lines = [
+                'auth  [success=1 default=ignore]  pam_unix.so nullok_secure',
+                'auth  requisite     pam_deny.so',
+                'auth  required      pam_permit.so',
+              ]
+
+              $default_pam_account_lines = [
+                'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so',
+                'account requisite     pam_deny.so',
+                'account required      pam_permit.so',
+              ]
+
+              $default_pam_password_lines = [
+                'password  [success=1 default=ignore]  pam_unix.so obscure sha512',
+                'password  requisite     pam_deny.so',
+                'password  required      pam_permit.so',
+              ]
+
+              $default_pam_session_lines = [
+                'session [default=1]   pam_permit.so',
+                'session requisite     pam_deny.so',
+                'session required      pam_permit.so',
+                'session required      pam_unix.so',
+              ]
+
+
+            }
+            default: {
+              fail("Pam is only supported on Debian 8. Your operatingsystemmajrelease is identified as <${::lsbdistrelease}>.")
+            }
+          }
+        }
         default: {
-          fail("Pam is only supported on lsbdistid Ubuntu of the Debian osfamily. Your lsbdistid is <${::lsbdistid}>.")
+          fail("Pam is only supported on lsbdistid Ubuntu or Debian of the Debian osfamily. Your lsbdistid is <${::lsbdistid}>.")
         }
       }
     }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "2.20.0",
+  "version": "2.21.0",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "license": "Apache-2.0",
@@ -94,7 +94,14 @@
         "12.04",
         "14.04"
       ]
+    },
+    {
+      "operatingsystem": "Debian",
+      "operatingsystemrelease": [
+        "8.2"
+      ]
     }
+
   ],
   "description": "Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments",
   "dependencies": [

spec/classes/init_spec.rb

@@ -150,7 +150,19 @@
           { :prefix         => 'pam_common_',
             :types          => ['auth', 'account', 'password', 'session', 'noninteractive_session' ],
           }, ],
-      }
+      },
+    'debian82'              =>
+    { :osfamily             => 'Debian',
+      :lsbdistid            => 'Debian',
+      :release              => '8.2',
+      :releasetype          => 'lsbdistrelease',
+      :packages             => [ 'libpam0g', ],
+      :files                => [
+        { :prefix           => 'pam_common_',
+          :types            => ['auth', 'account', 'password', 'session', 'noninteractive_session' ],
+        }, ],
+    }
+
   }
   unsupported_platforms = {
     'el4'                   =>
@@ -292,6 +304,15 @@
             next
           end
 
+          if check == 'vas' and v[:osfamily] == 'Debian' and v[:release] == '8.2'
+            it 'should fail' do
+              expect {
+                should contain_class('pam')
+              }.to raise_error(Puppet::Error,/Pam: vas is not supported on #{v[:osfamily]} #{v[:release]}/)
+            end
+            next
+          end
+
           v[:files].each do |file|
             group = file[:group] || 'root'
             dirpath = file[:dirpath] || '/etc/pam.d/'
@@ -458,7 +479,7 @@
           it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) }
         end
 
-        if v[:osfamily] == 'Debian'
+        if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu'
           it { should contain_class('pam::accesslogin') }
           it { should contain_class('pam::limits') }
 
@@ -613,6 +634,7 @@
         let :facts do
           { :osfamily => v[:osfamily],
             :"#{v[:releasetype]}" => v[:release],
+            :lsbdistid => v[:lsbdistid],
           }
         end
         let (:params) { {:limits_fragments_hiera_merge => ['not_a_boolean', 'not_a_string'] } }
@@ -627,6 +649,7 @@
         let :facts do
           { :osfamily => v[:osfamily],
             :"#{v[:releasetype]}" => v[:release],
+            :lsbdistid => v[:lsbdistid],
           }
         end
         let (:params) { {:limits_fragments_hiera_merge => 'invalid_string' } }

spec/fixtures/pam_common_account.defaults.debian82

@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
+account requisite     pam_deny.so
+account required      pam_permit.so

spec/fixtures/pam_common_auth.defaults.debian82

@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+auth  [success=1 default=ignore]  pam_unix.so nullok_secure
+auth  requisite     pam_deny.so
+auth  required      pam_permit.so

spec/fixtures/pam_common_noninteractive_session.defaults.debian82

@@ -0,0 +1,6 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session required      pam_unix.so

spec/fixtures/pam_common_password.defaults.debian82

@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+password  [success=1 default=ignore]  pam_unix.so obscure sha512
+password  requisite     pam_deny.so
+password  required      pam_permit.so

spec/fixtures/pam_common_session.defaults.debian82

@@ -0,0 +1,6 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session required      pam_unix.so

spec/fixtures/pam_d_login.defaults.debian82

@@ -0,0 +1,18 @@
+auth     optional   pam_faildelay.so  delay=3000000
+auth     [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+auth     requisite  pam_nologin.so
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session  required   pam_env.so readenv=1
+session  required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth     optional   pam_group.so
+session  required   pam_limits.so
+session  optional   pam_lastlog.so
+session  optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
+session  optional   pam_motd.so
+session  optional   pam_mail.so standard
+session  required   pam_loginuid.so
+@include common-account
+@include common-session
+@include common-password
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

spec/fixtures/pam_d_sshd.defaults.debian82

@@ -0,0 +1,14 @@
+@include common-auth
+account  required     pam_nologin.so
+@include common-account
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session  required     pam_loginuid.so
+session  optional     pam_keyinit.so force revoke
+@include common-session
+session  optional     pam_motd.so  motd=/run/motd.dynamic
+session  optional     pam_motd.so noupdate # [1]
+session  required     pam_limits.so
+session  required     pam_env.so # [1]
+session  required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password

templates/login.debian8.erb

@@ -0,0 +1,18 @@
+auth     optional   pam_faildelay.so  delay=3000000
+auth     [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+auth     requisite  pam_nologin.so
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session  required   pam_env.so readenv=1
+session  required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth     optional   pam_group.so
+session  required   pam_limits.so
+session  optional   pam_lastlog.so
+session  optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
+session  optional   pam_motd.so
+session  optional   pam_mail.so standard
+session  required   pam_loginuid.so
+@include common-account
+@include common-session
+@include common-password
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

templates/sshd.debian8.erb

@@ -0,0 +1,14 @@
+@include common-auth
+account  required     pam_nologin.so
+@include common-account
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session  required     pam_loginuid.so
+session  optional     pam_keyinit.so force revoke
+@include common-session
+session  optional     pam_motd.so  motd=/run/motd.dynamic
+session  optional     pam_motd.so noupdate # [1]
+session  required     pam_limits.so
+session  required     pam_env.so # [1]
+session  required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password