12 changes: 12 additions & 0 deletions .travis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,18 @@ matrix:
env: BEAKER_set="debian-8" BEAKER_PUPPET_COLLECTION=puppet6
bundler_args:
script: bundle exec rake beaker
- rvm: 2.4.4
sudo: required
services: docker
env: BEAKER_set="debian-9" BEAKER_PUPPET_COLLECTION=puppet5
bundler_args:
script: bundle exec rake beaker
- rvm: 2.5.1
sudo: required
services: docker
env: BEAKER_set="debian-9" BEAKER_PUPPET_COLLECTION=puppet6
bundler_args:
script: bundle exec rake beaker
- rvm: 2.4.4
sudo: required
services: docker
Expand Down
20 changes: 19 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,25 @@
# Change Log

## [v3.1.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.1.0)
## [v3.2.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.2.0)

[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.1.0...v3.2.0)

**Implemented enhancements:**

- Debian9 [\#206](https://github.com/ghoneycutt/puppet-module-pam/pull/206) ([ghoneycutt](https://github.com/ghoneycutt))

**Closed issues:**

- Add support for Ubuntu 18.04 [\#195](https://github.com/ghoneycutt/puppet-module-pam/issues/195)
- allowed\_users ordering [\#184](https://github.com/ghoneycutt/puppet-module-pam/issues/184)
- New Use-Case: Preserving file changes from authconfig [\#183](https://github.com/ghoneycutt/puppet-module-pam/issues/183)
- CentOS 7: password-auth-ac changed incorrectly [\#166](https://github.com/ghoneycutt/puppet-module-pam/issues/166)

**Merged pull requests:**

- Use SHA512 instead of md5 for for passwords on EL6 and EL7 [\#196](https://github.com/ghoneycutt/puppet-module-pam/pull/196) ([synaptis](https://github.com/synaptis))

## [v3.1.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.1.0) (2019-01-15)
[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.0.0...v3.1.0)

**Closed issues:**
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@ module aims to support the current and previous major Puppet versions.
* Ubuntu 18.04 LTS
* Debian 7
* Debian 8
* Debian 9

## Development

Expand Down
7 changes: 7 additions & 0 deletions Vagrantfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,13 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
c.vm.provision :shell, :inline => "puppet apply /vagrant/tests/init.pp"
end

config.vm.define "debian9-pam", autostart: false do |c|
c.vm.box = "debian/stretch64"
c.vm.hostname = 'debian9-pam.example.com'
c.vm.provision :shell, :path => "tests/provision_basic_debian.sh"
c.vm.provision :shell, :inline => "puppet apply /vagrant/tests/init.pp"
end

config.vm.define "ubuntu1604-pam", autostart: false do |c|
c.vm.box = "ubuntu/xenial64"
c.vm.hostname = 'ubuntu1604-pam.example.com'
Expand Down
33 changes: 33 additions & 0 deletions data/os/Debian/9.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
pam::common_files_create_links: false
pam::common_files_suffix: ~
pam::common_files:
- common_account
- common_auth
- common_password
- common_session
- common_session_noninteractive

pam::pam_d_login_template: pam/login.debian9.erb
pam::pam_d_sshd_template: pam/sshd.debian9.erb
pam::package_name: libpam0g
pam::pam_auth_lines:
- 'auth [success=1 default=ignore] pam_unix.so nullok_secure'
- 'auth requisite pam_deny.so'
- 'auth required pam_permit.so'
- 'auth optional pam_cap.so'
pam::pam_account_lines:
- 'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so'
- 'account requisite pam_deny.so'
- 'account required pam_permit.so'
pam::pam_password_lines:
- 'password [success=1 default=ignore] pam_unix.so obscure sha512'
- 'password requisite pam_deny.so'
- 'password required pam_permit.so'
pam::pam_session_lines:
- 'session [default=1] pam_permit.so'
- 'session requisite pam_deny.so'
- 'session required pam_permit.so'
- 'session required pam_unix.so'
- 'session required pam_unix.so'
- 'session optional pam_systemd.so'
4 changes: 2 additions & 2 deletions data/os/RedHat/6.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ pam::pam_account_lines:
- 'account required pam_permit.so'
pam::pam_password_lines:
- 'password requisite pam_cracklib.so try_first_pass retry=3 type='
- 'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok'
- 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
- 'password required pam_deny.so'
pam::pam_session_lines:
- 'session optional pam_keyinit.so revoke'
Expand All @@ -40,7 +40,7 @@ pam::pam_password_account_lines:
- 'account required pam_permit.so'
pam::pam_password_password_lines:
- 'password requisite pam_cracklib.so try_first_pass retry=3 type='
- 'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok'
- 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
- 'password required pam_deny.so'
pam::pam_password_session_lines:
- 'session optional pam_keyinit.so revoke'
Expand Down
2 changes: 1 addition & 1 deletion data/os/RedHat/7.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ pam::pam_password_account_lines:
- 'account required pam_permit.so'
pam::pam_password_password_lines:
- 'password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type='
- 'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok'
- 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
- 'password required pam_deny.so'
pam::pam_password_session_lines:
- 'session optional pam_keyinit.so revoke'
Expand Down
4 changes: 2 additions & 2 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,8 +247,8 @@
fail("osfamily Solaris' kernelrelease is <${facts['kernelrelease']}> and must be 5.9, 5.10 or 5.11")
} elsif $facts['os']['family'] == 'Suse' and !($facts['os']['release']['major'] in ['9','10','11','12','13']) {
fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 9, 10, 11, 12 or 13")
} elsif $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8']) {
fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7 or 8")
} elsif $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9']) {
fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8 or 9")
} elsif $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04']) {
fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, or 18.04")
}
Expand Down
5 changes: 3 additions & 2 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ghoneycutt-pam",
"version": "3.1.0",
"version": "3.2.0",
"author": "ghoneycutt",
"summary": "Manage PAM",
"description": "Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments",
Expand All @@ -19,7 +19,8 @@
"operatingsystem": "Debian",
"operatingsystemrelease": [
"7",
"8"
"8",
"9"
]
},
{
Expand Down
24 changes: 24 additions & 0 deletions spec/acceptance/nodesets/debian-9.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
HOSTS:
debian9:
roles:
- agent
platform: debian-9-amd64
hypervisor: docker
image: debian:9
docker_preserve_image: true
docker_cmd:
- '/sbin/init'
docker_image_commands:
- 'apt-get install -y wget net-tools systemd-sysv locales'
- 'rm -f /usr/sbin/policy-rc.d'
- 'echo "LC_ALL=en_US.UTF-8" >> /etc/environment'
- 'echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen'
- 'echo "LANG=en_US.UTF-8" > /etc/locale.conf'
- 'locale-gen en_US.UTF-8'
docker_container_name: 'pam-debian9'
CONFIG:
log_level: debug
type: foss
ssh:
password: root
auth_methods: ["password"]
5 changes: 5 additions & 0 deletions spec/fixtures/pam_common_account.defaults.debian9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
6 changes: 6 additions & 0 deletions spec/fixtures/pam_common_auth.defaults.debian9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
5 changes: 5 additions & 0 deletions spec/fixtures/pam_common_password.defaults.debian9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
8 changes: 8 additions & 0 deletions spec/fixtures/pam_common_session.defaults.debian9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session required pam_unix.so
session optional pam_systemd.so
8 changes: 8 additions & 0 deletions spec/fixtures/pam_common_session_noninteractive.defaults.debian9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session required pam_unix.so
session optional pam_systemd.so
19 changes: 19 additions & 0 deletions spec/fixtures/pam_d_login.defaults.debian9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard
session optional pam_keyinit.so force revoke
@include common-account
@include common-session
@include common-password
13 changes: 13 additions & 0 deletions spec/fixtures/pam_d_sshd.defaults.debian9
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
@include common-auth
account required pam_nologin.so
account required pam_access.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
2 changes: 1 addition & 1 deletion spec/fixtures/pam_password_auth_ac.defaults.el6
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ account required pam_permit.so

# Password
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

# Session
Expand Down
2 changes: 1 addition & 1 deletion spec/fixtures/pam_password_auth_ac.defaults.el7
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ account required pam_permit.so

# Password
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

# Session
Expand Down
2 changes: 1 addition & 1 deletion spec/fixtures/pam_system_auth_ac.defaults.el6
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ account required pam_permit.so

# Password
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

# Session
Expand Down
21 changes: 21 additions & 0 deletions spec/spec_helper.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,6 +402,27 @@ def platforms
{ :prefix => 'pam_common_',
:types => ['auth', 'account', 'password', 'session', 'session_noninteractive' ],
}, ],
},
'debian9' =>
{
:facts_hash => {
:osfamily => 'Debian',
:operatingsystem => 'Debian',
:os => {
'name' => 'Debian',
'family' => 'Debian',
'release' => {
'full' => '9.0',
'major' => '9',
'minor' => '0'
},
},
},
:packages => [ 'libpam0g', ],
:files => [
{ :prefix => 'pam_common_',
:types => ['auth', 'account', 'password', 'session', 'session_noninteractive' ],
}, ],
}
}
end
Expand Down
19 changes: 19 additions & 0 deletions templates/login.debian9.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
auth optional pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard
session optional pam_keyinit.so force revoke
@include common-account
@include common-session
@include common-password
15 changes: 15 additions & 0 deletions templates/sshd.debian9.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
@include common-auth
account required pam_nologin.so
<% if @sshd_pam_access != 'absent' -%>
account <%= @sshd_pam_access %> pam_access.so
<% end -%>
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session required pam_limits.so
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open