diff --git a/.travis.yml b/.travis.yml
@@ -128,6 +128,14 @@ matrix:
     env: BEAKER_set="ubuntu-1804" BEAKER_PUPPET_COLLECTION=puppet6
     bundler_args:
     script: bundle exec rake beaker
+  # puppet5 packages are not provided for Ubuntu 20.04, so this
+  # OS is not tested with puppet5
+  - rvm: 2.5.1
+    sudo: required
+    services: docker
+    env: BEAKER_set="ubuntu-2004" BEAKER_PUPPET_COLLECTION=puppet6
+    bundler_args:
+    script: bundle exec rake beaker
 
 notifications:
   email: false
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## [v3.7.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.7.0) (2020-11-17)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.6.0...v3.7.0)
+
+**Merged pull requests:**
+
+- Ubuntu 20.04 [\#225](https://github.com/ghoneycutt/puppet-module-pam/pull/225) ([amateo](https://github.com/amateo))
+
 ## [v3.6.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.6.0) (2020-11-09)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.5.0...v3.6.0)
@@ -20,17 +28,24 @@
 
 ## [v3.5.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.5.0) (2020-03-07)
 
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.4.0...v3.5.0)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.35.0...v3.5.0)
 
 **Closed issues:**
 
 - Support for Debian 10 [\#218](https://github.com/ghoneycutt/puppet-module-pam/issues/218)
-- RHEL8 support [\#211](https://github.com/ghoneycutt/puppet-module-pam/issues/211)
 
 **Merged pull requests:**
 
 - Add support for Debian 10 [\#217](https://github.com/ghoneycutt/puppet-module-pam/pull/217) ([thechristschn](https://github.com/thechristschn))
 
+## [v2.35.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.35.0) (2019-11-25)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.4.0...v2.35.0)
+
+**Closed issues:**
+
+- RHEL8 support [\#211](https://github.com/ghoneycutt/puppet-module-pam/issues/211)
+
 ## [v3.4.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.4.0) (2019-11-24)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.3.1...v3.4.0)
@@ -114,16 +129,7 @@
 
 ## [v3.0.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.0.0) (2018-11-09)
 
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.33.0...v3.0.0)
-
-**Closed issues:**
-
-- Add support for Debian 9 [\#187](https://github.com/ghoneycutt/puppet-module-pam/issues/187)
-- /etc/pam.d/passwd for RHEL 7 or is there a way to include a custom file path ? [\#180](https://github.com/ghoneycutt/puppet-module-pam/issues/180)
-- By default users are not restricted per ssh. [\#157](https://github.com/ghoneycutt/puppet-module-pam/issues/157)
-- \[Feature\] - Ability to add options for pam\_access lines added [\#156](https://github.com/ghoneycutt/puppet-module-pam/issues/156)
-- pam::allowed\_users removes user from multiple files, and only adds back to access\_conf [\#154](https://github.com/ghoneycutt/puppet-module-pam/issues/154)
-- Unwanted 'deny all' in allowed\_users [\#131](https://github.com/ghoneycutt/puppet-module-pam/issues/131)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/2.34.0...v3.0.0)
 
 **Merged pull requests:**
 
@@ -138,14 +144,34 @@
 - Use Hiera 5 module data [\#170](https://github.com/ghoneycutt/puppet-module-pam/pull/170) ([treydock](https://github.com/treydock))
 - Remove VAS logic and create examples that show old behavior [\#169](https://github.com/ghoneycutt/puppet-module-pam/pull/169) ([treydock](https://github.com/treydock))
 
+## [2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/2.34.0) (2018-09-18)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.34.0...2.34.0)
+
+## [v2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.34.0) (2018-09-18)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.33.0...v2.34.0)
+
+**Closed issues:**
+
+- Add support for Debian 9 [\#187](https://github.com/ghoneycutt/puppet-module-pam/issues/187)
+- /etc/pam.d/passwd for RHEL 7 or is there a way to include a custom file path ? [\#180](https://github.com/ghoneycutt/puppet-module-pam/issues/180)
+- By default users are not restricted per ssh. [\#157](https://github.com/ghoneycutt/puppet-module-pam/issues/157)
+- \[Feature\] - Ability to add options for pam\_access lines added [\#156](https://github.com/ghoneycutt/puppet-module-pam/issues/156)
+- pam::allowed\_users removes user from multiple files, and only adds back to access\_conf [\#154](https://github.com/ghoneycutt/puppet-module-pam/issues/154)
+- Unwanted 'deny all' in allowed\_users [\#131](https://github.com/ghoneycutt/puppet-module-pam/issues/131)
+
+**Merged pull requests:**
+
+- Add example SSSD integration using hiera [\#143](https://github.com/ghoneycutt/puppet-module-pam/pull/143) ([jeffmccune](https://github.com/jeffmccune))
+
 ## [v2.33.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.33.0) (2017-04-20)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.32.0...v2.33.0)
 
 **Merged pull requests:**
 
 - Restrict users by default per SSH on Debian and Ubuntu distros. [\#160](https://github.com/ghoneycutt/puppet-module-pam/pull/160) ([fbarbeira](https://github.com/fbarbeira))
-- Add example SSSD integration using hiera [\#143](https://github.com/ghoneycutt/puppet-module-pam/pull/143) ([jeffmccune](https://github.com/jeffmccune))
 
 ## [v2.32.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.32.0) (2017-04-07)
 
@@ -226,7 +252,6 @@
 
 - Added more general support for Debian 8 [\#139](https://github.com/ghoneycutt/puppet-module-pam/pull/139) ([ghoneycutt](https://github.com/ghoneycutt))
 - Fix travis [\#138](https://github.com/ghoneycutt/puppet-module-pam/pull/138) ([ghoneycutt](https://github.com/ghoneycutt))
-- Future parser and v4 [\#124](https://github.com/ghoneycutt/puppet-module-pam/pull/124) ([ghoneycutt](https://github.com/ghoneycutt))
 
 ## [v2.24.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.24.0) (2016-06-15)
 
@@ -251,6 +276,7 @@
 **Merged pull requests:**
 
 - Satisfy strict variables test [\#130](https://github.com/ghoneycutt/puppet-module-pam/pull/130) ([Phil-Friderici](https://github.com/Phil-Friderici))
+- El6 password auth support [\#129](https://github.com/ghoneycutt/puppet-module-pam/pull/129) ([ghoneycutt](https://github.com/ghoneycutt))
 
 ## [v2.21.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.21.0) (2016-01-12)
 
@@ -260,6 +286,10 @@
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v1.3.0...v2.20.0)
 
+**Merged pull requests:**
+
+- Future parser and v4 [\#124](https://github.com/ghoneycutt/puppet-module-pam/pull/124) ([ghoneycutt](https://github.com/ghoneycutt))
+
 ## [v2.19.1](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.19.1) (2015-06-09)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.19.0...v2.19.1)
@@ -270,7 +300,6 @@
 
 **Merged pull requests:**
 
-- El6 password auth support [\#129](https://github.com/ghoneycutt/puppet-module-pam/pull/129) ([ghoneycutt](https://github.com/ghoneycutt))
 - Suse12: Add systemd and pam\_envd to common session [\#111](https://github.com/ghoneycutt/puppet-module-pam/pull/111) ([anders-larsson](https://github.com/anders-larsson))
 
 ## [v2.19.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.19.0) (2015-04-15)
@@ -288,7 +317,6 @@
 **Merged pull requests:**
 
 - Make pam::service resources reversible [\#103](https://github.com/ghoneycutt/puppet-module-pam/pull/103) ([ghoneycutt](https://github.com/ghoneycutt))
-- Add SLES10.x support [\#96](https://github.com/ghoneycutt/puppet-module-pam/pull/96) ([propyless](https://github.com/propyless))
 
 ## [v2.17.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.17.0) (2015-04-02)
 
@@ -324,6 +352,10 @@
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.13.0...v2.14.0)
 
+**Merged pull requests:**
+
+- Add SLES10.x support [\#96](https://github.com/ghoneycutt/puppet-module-pam/pull/96) ([propyless](https://github.com/propyless))
+
 ## [v2.13.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.13.0) (2015-01-28)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.12.0...v2.13.0)

diff --git a/Gemfile b/Gemfile
@@ -25,18 +25,14 @@ gem 'puppet-lint-undef_in_function-check',              :require => false
 gem 'puppet-lint-unquoted_string-check',                :require => false
 gem 'puppet-lint-variable_contains_upcase',             :require => false
 
-group :documentation do
-  gem 'puppet-strings', require: false
-  gem 'redcarpet',      require: false
-  gem 'yard',           require: false
-end
+gem 'puppet-strings', require: false
+gem 'redcarpet',      require: false
+gem 'yard',           require: false
 
-group :system_tests do
-  gem 'beaker',                       :require => false
-  gem 'beaker-docker',                :require => false
-  gem 'beaker-module_install_helper', :require => false
-  gem 'beaker-puppet',                :require => false
-  gem 'beaker-puppet_install_helper', :require => false
-  gem 'beaker-rspec',                 :require => false
-  gem 'serverspec',                   :require => false
-end
+gem 'beaker',                       :require => false
+gem 'beaker-docker',                :require => false
+gem 'beaker-module_install_helper', :require => false
+gem 'beaker-puppet',                :require => false
+gem 'beaker-puppet_install_helper', :require => false
+gem 'beaker-rspec',                 :require => false
+gem 'serverspec',                   :require => false
diff --git a/LICENSE b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (C) 2010-2019 Garrett Honeycutt <code@garretthoneycutt.com>
+Copyright (C) 2010-2020 Garrett Honeycutt <code@garretthoneycutt.com>
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/README.md b/README.md
@@ -178,6 +178,7 @@ module aims to support the current and previous major Puppet versions.
  * Ubuntu 14.04 LTS
  * Ubuntu 16.04 LTS
  * Ubuntu 18.04 LTS
+ * Ubuntu 20.04 LTS
 
 ### May work
 

diff --git a/data/os/Ubuntu/20.04.yaml b/data/os/Ubuntu/20.04.yaml
@@ -0,0 +1,33 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.ubuntu20.erb
+pam::pam_d_sshd_template: pam/sshd.ubuntu20.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth  [success=1 default=ignore]  pam_unix.so nullok_secure'
+  - 'auth  requisite     pam_deny.so'
+  - 'auth  required      pam_permit.so'
+  - 'auth  optional      pam_cap.so'
+pam::pam_account_lines:
+  - 'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so'
+  - 'account requisite     pam_deny.so'
+  - 'account required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password  [success=1 default=ignore]  pam_unix.so obscure sha512'
+  - 'password  requisite     pam_deny.so'
+  - 'password  required      pam_permit.so'
+pam::pam_session_lines:
+  - 'session [default=1]   pam_permit.so'
+  - 'session requisite     pam_deny.so'
+  - 'session required      pam_permit.so'
+  - 'session optional      pam_umask.so'
+  - 'session required      pam_unix.so'
+  - 'session optional      pam_systemd.so'
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -240,17 +240,26 @@
   Optional[String] $common_files_suffix                     = undef,
 ) {
 
+
   # Fail on unsupported platforms
   if $facts['os']['family'] == 'RedHat' and !($facts['os']['release']['major'] in ['5','6','7','8']) {
     fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 5, 6, 7 or 8")
-  } elsif $facts['os']['family'] == 'Solaris' and !($facts['kernelrelease'] in ['5.9','5.10','5.11']) {
+  }
+
+  if $facts['os']['family'] == 'Solaris' and !($facts['kernelrelease'] in ['5.9','5.10','5.11']) {
     fail("osfamily Solaris' kernelrelease is <${facts['kernelrelease']}> and must be 5.9, 5.10 or 5.11")
-  } elsif $facts['os']['family'] == 'Suse' and !($facts['os']['release']['major'] in ['9','10','11','12','13','15']) {
+  }
+
+  if $facts['os']['family'] == 'Suse' and !($facts['os']['release']['major'] in ['9','10','11','12','13','15']) {
     fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 9, 10, 11, 12, 13 or 15")
-  } elsif $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10']) {
+  }
+
+  if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10']) {
     fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9 or 10")
-  } elsif $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04']) {
-    fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, or 18.04")
+  }
+
+  if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04']) {
+    fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04 or 20.04")
   }
 
   if $pam_d_sshd_template == 'pam/sshd.custom.erb' {
@@ -265,7 +274,7 @@
       $pam_sshd_account_lines or
       $pam_sshd_password_lines or
       $pam_sshd_session_lines {
-        fail('pam_sshd_[auth|account|password|session]_lines are only valid when pam_d_sshd_template is configured with the pam/sshd.custom.erb template')
+        fail('pam_sshd_[auth|account|password|session]_lines are only valid when pam_d_sshd_template is configured with the pam/sshd.custom.erb template') # lint:ignore:140chars
     }
   }
 

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "3.6.0",
+  "version": "3.7.0",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "description": "Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments",
@@ -100,7 +100,8 @@
         "12.04",
         "14.04",
         "16.04",
-        "18.04"
+        "18.04",
+        "20.04"
       ]
     }
   ],

diff --git a/spec/acceptance/nodesets/ubuntu-2004.yml b/spec/acceptance/nodesets/ubuntu-2004.yml
@@ -0,0 +1,19 @@
+HOSTS:
+  ubuntu2004:
+    roles:
+      - agent
+    platform: ubuntu-20.04-amd64
+    hypervisor : docker
+    image: ubuntu:20.04
+    docker_preserve_image: true
+    docker_cmd: '["/sbin/init"]'
+    docker_image_commands:
+      - 'apt-get install -y -q net-tools wget locales'
+      - 'locale-gen en_US.UTF-8'
+    docker_container_name: 'pam-ubuntu2004'
+CONFIG:
+  type: foss
+  log_level: debug
+ssh:
+  password: root
+  auth_methods: ["password"]
diff --git a/spec/fixtures/pam_common_account.defaults.ubuntu2004 b/spec/fixtures/pam_common_account.defaults.ubuntu2004
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
+account requisite     pam_deny.so
+account required      pam_permit.so
diff --git a/spec/fixtures/pam_common_auth.defaults.ubuntu2004 b/spec/fixtures/pam_common_auth.defaults.ubuntu2004
@@ -0,0 +1,6 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+auth  [success=1 default=ignore]  pam_unix.so nullok_secure
+auth  requisite     pam_deny.so
+auth  required      pam_permit.so
+auth  optional      pam_cap.so
diff --git a/spec/fixtures/pam_common_password.defaults.ubuntu2004 b/spec/fixtures/pam_common_password.defaults.ubuntu2004
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+password  [success=1 default=ignore]  pam_unix.so obscure sha512
+password  requisite     pam_deny.so
+password  required      pam_permit.so
diff --git a/spec/fixtures/pam_common_session.defaults.ubuntu2004 b/spec/fixtures/pam_common_session.defaults.ubuntu2004
@@ -0,0 +1,8 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session optional      pam_umask.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/pam_common_session_noninteractive.defaults.ubuntu2004 b/spec/fixtures/pam_common_session_noninteractive.defaults.ubuntu2004
@@ -0,0 +1,8 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session optional      pam_umask.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/pam_d_login.defaults.ubuntu2004 b/spec/fixtures/pam_d_login.defaults.ubuntu2004
@@ -0,0 +1,18 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/spec/fixtures/pam_d_sshd.defaults.ubuntu2004 b/spec/fixtures/pam_d_sshd.defaults.ubuntu2004
@@ -0,0 +1,16 @@
+@include common-auth
+account    required     pam_nologin.so
+account  required     pam_access.so
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password