Showing with 280 additions and 2 deletions.
  1. +1 −0 README.md
  2. +63 −1 manifests/init.pp
  3. +183 −1 spec/classes/init_spec.rb
  4. +18 −0 templates/login.el7.erb
  5. +15 −0 templates/sshd.el7.erb
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ This module has been tested to work on the following systems using Puppet v3 wit

* EL 5
* EL 6
* EL 7
* Solaris 9
* Solaris 10
* Solaris 11
Expand Down
64 changes: 63 additions & 1 deletion manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,8 +184,70 @@
'session required pam_unix.so']
}
}
'7': {
$default_pam_d_login_template = 'pam/login.el7.erb'
$default_pam_d_sshd_template = 'pam/sshd.el7.erb'
$default_package_name = 'pam'

if $ensure_vas == 'present' {
case $vas_major_version {
'4': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 1000 quiet_success',
'auth required pam_deny.so']
}
default: {
fail("Pam is only supported with vas_major_version 4 on EL7. Your vas_major_version is <${vas_major_version}>.")
}
}

$default_pam_account_lines = [ 'account sufficient pam_vas3.so',
'account requisite pam_vas3.so echo_return',
'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 1000 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=',
'password sufficient pam_vas3.so',
'password requisite pam_vas3.so echo_return',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'-session optional pam_systemd.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_vas3.so show_lockout_msg',
'session requisite pam_vas3.so echo_return',
'session required pam_unix.so']
} else {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 1000 quiet_success',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 1000 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'-session optional pam_systemd.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
}
}
default: {
fail("Pam is only supported on EL 5 and 6. Your lsbmajdistrelease is identified as <${::lsbmajdistrelease}>.")
fail("Pam is only supported on EL 5, 6 and 7. Your lsbmajdistrelease is identified as <${::lsbmajdistrelease}>.")
}
}
}
Expand Down
184 changes: 183 additions & 1 deletion spec/classes/init_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
it 'should fail' do
expect {
should contain_class('pam')
}.to raise_error(Puppet::Error,/Pam is only supported on EL 5 and 6. Your lsbmajdistrelease is identified as <4>./)
}.to raise_error(Puppet::Error,/Pam is only supported on EL 5, 6 and 7. Your lsbmajdistrelease is identified as <4>./)
end
end

Expand Down Expand Up @@ -109,6 +109,21 @@
end
end

context 'with default params on osfamily RedHat with lsbmajdistrelease 7' do
let :facts do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '7',
}
end

it do
should contain_package('pam').with({
'ensure' => 'installed',
})
end
end

context 'with default params on osfamily Suse with lsbmajdistrelease 9' do
let :facts do
{
Expand Down Expand Up @@ -468,6 +483,122 @@
it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) }
end

context 'with default params on osfamily RedHat with lsbmajdistrelease 7' do
let :facts do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '7',
}
end

it {
should contain_file('pam_system_auth_ac').with({
'ensure' => 'file',
'path' => '/etc/pam.d/system-auth-ac',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}
it { should contain_file('pam_system_auth_ac').with_content("# This file is being maintained by Puppet.
# DO NOT EDIT
# Auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
# Account
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# Password
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
# Session
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
")
}

it {
should contain_file('pam_system_auth').with({
'ensure' => 'symlink',
'path' => '/etc/pam.d/system-auth',
'owner' => 'root',
'group' => 'root',
})
}

it {
should contain_file('pam_d_login').with({
'ensure' => 'file',
'path' => '/etc/pam.d/login',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_d_login').with_content("#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
")
}

it {
should contain_file('pam_d_sshd').with({
'ensure' => 'file',
'path' => '/etc/pam.d/sshd',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_d_sshd').with_content("#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
")
}

it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) }
end

context 'with default params on Ubuntu 12.04 LTS' do
let :facts do
{
Expand Down Expand Up @@ -1147,6 +1278,36 @@
it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) }
end

context 'with ensure_vas=present and default vas_major_version (4) on osfamily RedHat with lsbmajdistrelease 7' do
let (:params) do
{
:ensure_vas => 'present',
}
end
let :facts do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '7',
}
end

it {
should contain_file('pam_system_auth_ac').with({
'ensure' => 'file',
'path' => '/etc/pam.d/system-auth-ac',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
})
}

it { should contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so/) }
it { should contain_file('pam_system_auth_ac').with_content(/account[\s]+sufficient[\s]+pam_vas3.so/) }
it { should contain_file('pam_system_auth_ac').with_content(/password[\s]+sufficient[\s]+pam_vas3.so/) }
it { should contain_file('pam_system_auth_ac').with_content(/session[\s]+required[\s]+pam_vas3.so/) }
it { should_not contain_file('pam_system_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) }
end

context 'with ensure_vas=present and vas_major_version=3 on osfamily RedHat with lsbmajdistrelease 5' do
let (:params) do
{
Expand Down Expand Up @@ -1722,5 +1883,26 @@
}.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 3 or 4/)
end
end

context 'with ensure_vas=present and unsupported vas_major_version on osfamily RedHat with lsbmajdistrelease 7' do
let (:params) do
{
:ensure_vas => 'present',
:vas_major_version => '3',
}
end
let :facts do
{
:osfamily => 'RedHat',
:lsbmajdistrelease => '7',
}
end

it 'should fail' do
expect {
should contain_class('pam')
}.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 4 on EL7/)
end
end
end
end
18 changes: 18 additions & 0 deletions templates/login.el7.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
15 changes: 15 additions & 0 deletions templates/sshd.el7.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin