- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with pam
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module manages PAM including accesslogin and limits.conf with functionality to create limits fragments for use in other modules. There are examples for using this with VAS/QAS.
Manages the packages and files regarding PAM. These vary by platform though generally include things such as the following.
/etc/pam.conf
/etc/pam.d
/etc/security/access.conf
/etc/security/limits.conf
/etc/security/limits.d
This module requires stdlib
. When deployed by default it will require
nsswitch
. See below for more information.
By default this module will include the nsswitch
class with the
settings pam::manage_nsswitch
. This module is meant to be used with
the Approved nsswitch
module.
This module has been deployed in production along with
sgnl05/sssd. Please see
examples/hiera/sssd/RedHat-6.yaml
file for an example with the
additional SSSD entries added via hiera.
Include the main pam
class.
As an array where the origin for each is 'ALL'.
pam::allowed_users:
- root
- ops
- devs
This would create /etc/security/access.conf
with the following content.
# This file is being maintained by Puppet.
# DO NOT EDIT
#
# allow only the groups listed
+:root:ALL
+:ops:ALL
+:devs:ALL
# default deny
-:ALL:ALL
As a hash where the user/group can optionally specify the origin.
pam::allowed_users:
'username':
'username1':
- 'cron'
- 'tty0'
'username2': 'tty1'
This would create /etc/security/access.conf
with the following content.
# This file is being maintained by Puppet.
# DO NOT EDIT
#
#allow only the groups listed
+:username:ALL
+:username1:cron tty0
+:username2:tty1
# default deny
-:ALL:ALL
pam::limits_fragments:
custom:
list:
- '* soft nofile 2048'
- '* hard nofile 8192'
- '* soft as 3145728'
- '* hard as 4194304'
- '* hard maxlogins 300'
- '* soft cpu 720'
- '* hard cpu 1440'
This would create /etc/security/limits.d/custom.conf
with content
# This file is being maintained by Puppet.
# DO NOT EDIT
* soft nofile 2048
* hard nofile 8192
* soft as 3145728
* hard as 4194304
* hard maxlogins 300
* soft cpu 720
* hard cpu 1440
Manage PAM file for specific service.
You can specify a hash to manage the services in Hiera
pam::services:
'sudo':
content : 'auth required pam_unix2.so'
Minimal and normal usage.
include pam
This module has been tested to work on the following systems with Puppet
versions 5 and 6 with the Ruby version associated with those releases.
Please see .travis.yml
for a full matrix of supported versions. This
module aims to support the current and previous major Puppet versions.
- EL 6
- EL 7
- EL 8
- Debian 9
- Debian 10
- Ubuntu 14.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 20.04 LTS
These platforms have spec tests and have been verified in the past, though are not functionally tested and formally supported.
- EL 5
- Solaris 9
- Solaris 10
- Solaris 11
- Suse 9
- Suse 10
- Suse 11
- Suse 12
- Suse 15
- OpenSuSE 13.1
- Debian 7
- Debian 8
- Ubuntu 12.04 LTS
See CONTRIBUTING.md
for information related to the development of this
module.