19 changes: 14 additions & 5 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,15 @@

All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).

## [v3.10.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.10.0) (2023-02-21)

[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.9.0...v3.10.0)

### Merged pull requests:

- Add amazon linux 2 support [\#259](https://github.com/ghoneycutt/puppet-module-pam/pull/259) ([treydock](https://github.com/treydock))
- Support Ubuntu 22.04 [\#245](https://github.com/ghoneycutt/puppet-module-pam/pull/245) ([anders-larsson](https://github.com/anders-larsson))

## [v3.9.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.9.0) (2023-01-30)

[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.8.0...v3.9.0)
Expand Down Expand Up @@ -117,7 +126,7 @@ All notable changes to this project will be documented in this file. The format

## [v3.0.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.0.0) (2018-11-09)

[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.34.0...v3.0.0)
[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/2.34.0...v3.0.0)

### Merged pull requests:

Expand All @@ -133,13 +142,13 @@ All notable changes to this project will be documented in this file. The format
- Remove VAS logic and create examples that show old behavior [\#169](https://github.com/ghoneycutt/puppet-module-pam/pull/169) ([treydock](https://github.com/treydock))
- Add example SSSD integration using hiera [\#143](https://github.com/ghoneycutt/puppet-module-pam/pull/143) ([jeffmccune](https://github.com/jeffmccune))

## [v2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.34.0) (2018-09-18)
## [2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/2.34.0) (2018-09-18)

[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/2.34.0...v2.34.0)
[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.34.0...2.34.0)

## [2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/2.34.0) (2018-09-18)
## [v2.34.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.34.0) (2018-09-18)

[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.33.0...2.34.0)
[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v2.33.0...v2.34.0)

## [v2.33.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v2.33.0) (2017-04-20)

Expand Down
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,13 +173,15 @@ module aims to support the current and previous major Puppet versions.
* EL 7
* EL 8
* EL 9
* Amazon Linux 2
* Debian 9
* Debian 10
* Debian 11
* Ubuntu 14.04 LTS
* Ubuntu 16.04 LTS
* Ubuntu 18.04 LTS
* Ubuntu 20.04 LTS
* Ubuntu 22.04 LTS

### May work

Expand Down
46 changes: 46 additions & 0 deletions data/os/Amazon/2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
pam::login_pam_access: absent
pam::sshd_pam_access: absent
pam::common_files_create_links: false
pam::common_files_suffix: ~
pam::common_files:
- password_auth
- system_auth

pam::pam_d_login_template: pam/login.el2.erb
pam::pam_d_sshd_template: pam/sshd.el2.erb

pam::package_name: pam

pam::pam_auth_lines:
- 'auth required pam_env.so'
- 'auth sufficient pam_unix.so try_first_pass nullok'
- 'auth required pam_deny.so'
pam::pam_password_auth_lines:
- 'auth required pam_env.so'
- 'auth sufficient pam_unix.so try_first_pass nullok'
- 'auth required pam_deny.so'
pam::pam_account_lines:
- 'account required pam_unix.so'
pam::pam_password_account_lines:
- 'account required pam_unix.so'
pam::pam_password_lines:
- 'password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type='
- 'password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow'
- 'password required pam_deny.so'
pam::pam_password_password_lines:
- 'password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type='
- 'password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow'
- 'password required pam_deny.so'
pam::pam_session_lines:
- 'session optional pam_keyinit.so revoke'
- 'session required pam_limits.so'
- '-session optional pam_systemd.so'
- 'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
- 'session required pam_unix.so'
pam::pam_password_session_lines:
- 'session optional pam_keyinit.so revoke'
- 'session required pam_limits.so'
- '-session optional pam_systemd.so'
- 'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
- 'session required pam_unix.so'
34 changes: 34 additions & 0 deletions data/os/Ubuntu/22.04.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
pam::common_files_create_links: false
pam::common_files_suffix: ~
pam::common_files:
- common_account
- common_auth
- common_password
- common_session
- common_session_noninteractive

pam::sshd_pam_access: absent
pam::pam_d_login_template: pam/login.ubuntu22.erb
pam::pam_d_sshd_template: pam/sshd.ubuntu22.erb
pam::package_name: libpam0g
pam::pam_auth_lines:
- 'auth [success=1 default=ignore] pam_unix.so nullok'
- 'auth requisite pam_deny.so'
- 'auth required pam_permit.so'
- 'auth optional pam_cap.so'
pam::pam_account_lines:
- 'account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so'
- 'account requisite pam_deny.so'
- 'account required pam_permit.so'
pam::pam_password_lines:
- 'password [success=1 default=ignore] pam_unix.so obscure yescrypt'
- 'password requisite pam_deny.so'
- 'password required pam_permit.so'
pam::pam_session_lines:
- 'session [default=1] pam_permit.so'
- 'session requisite pam_deny.so'
- 'session required pam_permit.so'
- 'session optional pam_umask.so'
- 'session required pam_unix.so'
- 'session optional pam_systemd.so'
8 changes: 4 additions & 4 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,8 +240,8 @@
Optional[String] $common_files_suffix = undef,
) {
# Fail on unsupported platforms
if $facts['os']['family'] == 'RedHat' and !($facts['os']['release']['major'] in ['5','6','7','8', '9']) {
fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 5, 6, 7, 8 or 9")
if $facts['os']['family'] == 'RedHat' and !($facts['os']['release']['major'] in ['2','5','6','7','8', '9']) {
fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 2, 5, 6, 7, 8 or 9")
}

if $facts['os']['family'] == 'Solaris' and !($facts['kernelrelease'] in ['5.9','5.10','5.11']) {
Expand All @@ -256,8 +256,8 @@
fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10 or 11")
}

if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04']) {
fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04 or 20.04")
if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) {
fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04, 20.04 or 22.04")
}

if $pam_d_sshd_template == 'pam/sshd.custom.erb' {
Expand Down
11 changes: 9 additions & 2 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ghoneycutt-pam",
"version": "3.9.0",
"version": "3.10.0",
"author": "ghoneycutt",
"summary": "Manage PAM",
"license": "Apache-2.0",
Expand All @@ -18,6 +18,12 @@
}
],
"operatingsystem_support": [
{
"operatingsystem": "Amazon",
"operatingsystemrelease": [
"2"
]
},
{
"operatingsystem": "Debian",
"operatingsystemrelease": [
Expand Down Expand Up @@ -103,7 +109,8 @@
"14.04",
"16.04",
"18.04",
"20.04"
"20.04",
"22.04"
]
}
],
Expand Down
17 changes: 17 additions & 0 deletions spec/fixtures/redhat-2-x86_64-pam_d_login
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#%PAM-1.0
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
20 changes: 20 additions & 0 deletions spec/fixtures/redhat-2-x86_64-pam_d_sshd
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
22 changes: 22 additions & 0 deletions spec/fixtures/redhat-2-x86_64-pam_password_auth
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
#
# Auth
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so

# Account
account required pam_unix.so

# Password
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so

# Session
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
21 changes: 21 additions & 0 deletions spec/fixtures/redhat-2-x86_64-pam_system_auth
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
# Auth
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so

# Account
account required pam_unix.so

# Password
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so

# Session
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
5 changes: 5 additions & 0 deletions spec/fixtures/ubuntu-22.04-x86_64-pam_common_account
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
6 changes: 6 additions & 0 deletions spec/fixtures/ubuntu-22.04-x86_64-pam_common_auth
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
5 changes: 5 additions & 0 deletions spec/fixtures/ubuntu-22.04-x86_64-pam_common_password
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
password [success=1 default=ignore] pam_unix.so obscure yescrypt
password requisite pam_deny.so
password required pam_permit.so
8 changes: 8 additions & 0 deletions spec/fixtures/ubuntu-22.04-x86_64-pam_common_session
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
8 changes: 8 additions & 0 deletions spec/fixtures/ubuntu-22.04-x86_64-pam_common_session_noninteractive
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# This file is being maintained by Puppet.
# DO NOT EDIT
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
18 changes: 18 additions & 0 deletions spec/fixtures/ubuntu-22.04-x86_64-pam_d_login
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
auth optional pam_faildelay.so delay=3000000
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_mail.so standard
session optional pam_keyinit.so force revoke
@include common-account
@include common-session
@include common-password
15 changes: 15 additions & 0 deletions spec/fixtures/ubuntu-22.04-x86_64-pam_d_sshd
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
@include common-auth
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
8 changes: 4 additions & 4 deletions spec/spec_platforms.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

def os_id(os)
# for CentOS, OracleLinux, Scientific use RedHat values
os.sub(%r{(centos|oraclelinux|scientific)}, 'redhat')
os.sub(%r{(amazon|centos|oraclelinux|scientific)}, 'redhat')
end

def package_name(os)
Expand Down Expand Up @@ -54,9 +54,9 @@ def common_files_suffix(os)

def login_pam_access(os)
case os_id(os)
when %r{redhat-5}, %r{redhat-6}, %r{redhat-7}, %r{redhat-8}, %r{redhat-9}, %r{sles-11}
when %r{redhat-2}, %r{redhat-5}, %r{redhat-6}, %r{redhat-7}, %r{redhat-8}, %r{redhat-9}, %r{sles-11}
'required'
when %r{redhat}, %r{sles}, %r{debian}, %r{ubuntu}
when %r{sles}, %r{debian}, %r{ubuntu}
'absent'
else
nil
Expand All @@ -65,7 +65,7 @@ def login_pam_access(os)

def sshd_pam_access(os)
case os_id(os)
when %r{redhat-5}, %r{redhat-6}, %r{redhat-7}, %r{redhat-8}, %r{redhat-9}, %r{sles-11}, %r{debian}, %r{ubuntu}
when %r{redhat-2}, %r{redhat-5}, %r{redhat-6}, %r{redhat-7}, %r{redhat-8}, %r{redhat-9}, %r{sles-11}, %r{debian}, %r{ubuntu}
'required'
when %r{sles-9}, %r{sles-10}, %r{sles-12}, %r{sles-15}
'absent'
Expand Down
Loading