8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,19 @@ versions.
* Ubuntu 12.04 LTS
* Ubuntu 14.04 LTS
* Ubuntu 16.04 LTS
* Ubuntu 18.04 LTS
* Debian 7
* Debian 8

EL no longer requires the `redhat-lsb` package.

# SSSD

This module has been deployed in production along with
[sgnl05/sssd](https://github.com/sgnl05/sgnl05-sssd). Please see <a
href="examples/hiera/sssd/RedHat-6.yaml">examples/hiera/sssd/RedHat-6.yaml</a>
file for an example with the additional SSSD entries added via hiera.

===

# Parameters
Expand Down
68 changes: 68 additions & 0 deletions examples/hiera/sssd/RedHat-6.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
## nsswitch configuration required for use with sssd
nsswitch::passwd: 'files sss'
nsswitch::shadow: 'files sss'
nsswitch::group: 'files sss'
nsswitch::services: 'files sss'
nsswitch::netgroup: 'files sss'
nsswitch::automount: 'files sss'

# PAM Customized for use with sssd
pam::pam_auth_lines:
- '# Managed by Hiera key pam::pam_auth_lines'
- 'auth required pam_env.so'
- 'auth sufficient pam_fprintd.so'
- 'auth sufficient pam_unix.so nullok try_first_pass'
- 'auth requisite pam_succeed_if.so uid >= 500 quiet'
- 'auth sufficient pam_sss.so use_first_pass'
- 'auth required pam_deny.so'
pam::pam_account_lines:
- '# Managed by Hiera key pam::pam_account_lines'
- 'account required pam_unix.so'
- 'account sufficient pam_localuser.so'
- 'account sufficient pam_succeed_if.so uid < 500 quiet'
- 'account [default=bad success=ok user_unknown=ignore] pam_sss.so'
- 'account required pam_permit.so'
pam::pam_password_lines:
- '# Managed by Hiera key pam::pam_password_lines'
- 'password requisite pam_cracklib.so try_first_pass retry=3 type='
- 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
- 'password sufficient pam_sss.so use_authtok'
- 'password required pam_deny.so'
pam::pam_session_lines:
- '# Managed by Hiera key pam::pam_session_lines'
- 'session optional pam_keyinit.so revoke'
- 'session required pam_limits.so'
- 'session optional pam_oddjob_mkhomedir.so umask=0077'
- 'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
- 'session required pam_unix.so'
- 'session optional pam_sss.so'
pam::pam_password_auth_lines:
- '# Managed by Hiera key pam::pam_password_auth_lines'
- 'auth required pam_env.so'
- 'auth sufficient pam_unix.so nullok try_first_pass'
- 'auth requisite pam_succeed_if.so uid >= 500 quiet'
- 'auth sufficient pam_sss.so use_first_pass'
- 'auth required pam_deny.so'
pam::pam_password_account_lines:
- '# Managed by Hiera key pam::pam_password_account_lines'
- 'account required pam_unix.so'
- 'account sufficient pam_localuser.so'
- 'account sufficient pam_succeed_if.so uid < 500 quiet'
- 'account [default=bad success=ok user_unknown=ignore] pam_sss.so'
- 'account required pam_permit.so'
pam::pam_password_password_lines:
- '# Managed by Hiera key pam::pam_password_password_lines'
- 'password requisite pam_cracklib.so try_first_pass retry=3 type='
- 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
- 'password sufficient pam_sss.so use_authtok'
- 'password required pam_deny.so'
pam::pam_password_session_lines:
- '# Managed by Hiera key pam::pam_password_session_lines'
- 'session optional pam_keyinit.so revoke'
- 'session required pam_limits.so'
- 'session optional pam_oddjob_mkhomedir.so umask=0077'
- 'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
- 'session required pam_unix.so'
- 'session optional pam_sss.so'

78 changes: 77 additions & 1 deletion manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -908,8 +908,84 @@
]
}
}
'18.04': {
$default_pam_d_login_template = 'pam/login.ubuntu18.erb'
$default_pam_d_sshd_template = 'pam/sshd.ubuntu18.erb'
$default_package_name = 'libpam0g'
if $ensure_vas == 'present' {
if $vas_major_version == '3' {
fail("Pam is only supported with vas_major_version 4 on Ubuntu 18.04. Your vas_major_version is <${vas_major_version}>.")
}
$default_pam_auth_lines = [
'auth sufficient pam_vas3.so create_homedir get_nonvas_pass',
'auth requisite pam_vas3.so echo_return',
'auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass',
'auth requisite pam_deny.so',
'auth required pam_permit.so',
]
$default_pam_account_lines = [
'account sufficient pam_vas3.so',
'account requisite pam_vas3.so echo_return',
'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so',
'account requisite pam_deny.so',
'account required pam_permit.so',
]
$default_pam_password_lines = [
'password sufficient pam_vas3.so',
'password requisite pam_vas3.so echo_return',
'password [success=1 default=ignore] pam_unix.so obscure sha512',
'password requisite pam_deny.so',
'password required pam_permit.so',
]
$default_pam_session_lines = [
'session [default=1] pam_permit.so',
'session requisite pam_deny.so',
'session required pam_permit.so',
'session optional pam_umask.so',
'session required pam_vas3.so create_homedir',
'session requisite pam_vas3.so echo_return',
'session required pam_unix.so',
'session optional pam_systemd.so',
]
} else {
$default_pam_auth_lines = [
'auth [success=1 default=ignore] pam_unix.so nullok_secure',
'auth requisite pam_deny.so',
'auth required pam_permit.so',
'auth required pam_cap.so',
]
$default_pam_account_lines = [
'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so',
'account requisite pam_deny.so',
'account required pam_permit.so',
]
$default_pam_password_lines = [
'password [success=1 default=ignore] pam_unix.so obscure sha512',
'password requisite pam_deny.so',
'password required pam_permit.so',
]
$default_pam_session_lines = [
'session [default=1] pam_permit.so',
'session requisite pam_deny.so',
'session required pam_permit.so',
'session optional pam_umask.so',
'session required pam_unix.so',
'session optional pam_systemd.so',
]
}
}
default: {
fail("Pam is only supported on Ubuntu 12.04, 14.04 and 16.04. Your lsbdistrelease is identified as <${::lsbdistrelease}>.")
fail("Pam is only supported on Ubuntu 12.04, 14.04, 16.04 and 18.04. Your lsbdistrelease is identified as <${::lsbdistrelease}>.")
}
}
}
Expand Down
3 changes: 2 additions & 1 deletion metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,8 @@
"operatingsystemrelease": [
"12.04",
"14.04",
"16.04"
"16.04",
"18.04"
]
}
],
Expand Down
15 changes: 13 additions & 2 deletions spec/classes/init_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,17 @@
:types => ['auth', 'account', 'password', 'session', 'noninteractive_session' ],
}, ],
},
'ubuntu1804' =>
{ :osfamily => 'Debian',
:lsbdistid => 'Ubuntu',
:release => '18.04',
:releasetype => 'lsbdistrelease',
:packages => [ 'libpam0g', ],
:files => [
{ :prefix => 'pam_common_',
:types => ['auth', 'account', 'password', 'session', 'noninteractive_session' ],
}, ],
},
'debian7' =>
{ :osfamily => 'Debian',
:lsbdistid => 'Debian',
Expand Down Expand Up @@ -373,7 +384,7 @@
next
end

if check == 'vas' and v[:osfamily] == 'Debian' and v[:release] == '18.04'
if check == 'vas' and v[:osfamily] == 'Debian' and v[:release] == '20.04'
it 'should fail' do
expect {
should contain_class('pam')
Expand Down Expand Up @@ -695,7 +706,7 @@
end
end

if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu' and v[:release] == '16.04'
if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu' and v[:release] == '20.04'
it 'should fail' do
expect {
should contain_class('pam')
Expand Down
5 changes: 5 additions & 0 deletions spec/fixtures/pam_common_account.defaults.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
7 changes: 7 additions & 0 deletions spec/fixtures/pam_common_account.vas.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
5 changes: 5 additions & 0 deletions spec/fixtures/pam_common_auth.defaults.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
7 changes: 7 additions & 0 deletions spec/fixtures/pam_common_auth.vas.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
auth sufficient pam_vas3.so create_homedir get_nonvas_pass
auth requisite pam_vas3.so echo_return
auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
8 changes: 8 additions & 0 deletions spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
10 changes: 10 additions & 0 deletions spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session required pam_unix.so
session optional pam_systemd.so
5 changes: 5 additions & 0 deletions spec/fixtures/pam_common_password.defaults.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
7 changes: 7 additions & 0 deletions spec/fixtures/pam_common_password.vas.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
password sufficient pam_vas3.so
password requisite pam_vas3.so echo_return
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
8 changes: 8 additions & 0 deletions spec/fixtures/pam_common_session.defaults.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
10 changes: 10 additions & 0 deletions spec/fixtures/pam_common_session.vas.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session required pam_unix.so
session optional pam_systemd.so
19 changes: 19 additions & 0 deletions spec/fixtures/pam_d_login.defaults.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard
session optional pam_keyinit.so force revoke
@include common-account
@include common-session
@include common-password
15 changes: 15 additions & 0 deletions spec/fixtures/pam_d_sshd.defaults.ubuntu1804
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
19 changes: 19 additions & 0 deletions templates/login.ubuntu18.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard
session optional pam_keyinit.so force revoke
@include common-account
@include common-session
@include common-password
17 changes: 17 additions & 0 deletions templates/sshd.ubuntu18.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
@include common-auth
account required pam_nologin.so
<% if @sshd_pam_access != 'absent' -%>
account <%= @sshd_pam_access %> pam_access.so
<% end -%>
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password