• Activity
  • Votes
  • Comments
  • New
  • All activity
  • Showing only topics with the tag "puppet". Back to normal view
    1. Using ghoneycutt/pam puppet module

      Hi guys, I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the...

      Hi guys,

      I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the basics down.

      I've configured a few things using modules such as NTP, SSSD and NSSWITCH but I'm just stuck on how I can use this module and pull info from Hiera into it.

      So, lets start with

      .yaml file:

      
              ### nsswitch.conf authentication configuration
      
              nsswitch::passwd:     'files sss'
      
              nsswitch::shadow:     'files sss'
      
      
      

      And then looking at the nsswitch.pp file:

      
              ### nsswitch.config setup
      
              class profile::linux::base::nsswitch {
      
              # Get heira values
      
                class { 'nsswitch':
      
                  passwd    => [lookup('nsswitch::passwd')],
      
                  shadow    => [lookup('nsswitch::shadow')],
      
      
      

      Simple enough to call the values I want and works how I want, now I'm trying to do the same type of thing for PAM using the ghoneycutt/pam module and there doesn't seem to be much info on how to use it, or it's just not sinking in for me.

      Some of my PAM Heira values:

              pam::pam_auth_lines:
                - '# Managed by Hiera key pam::pam_auth_lines'
                - 'auth        required      pam_env.so'
                - 'auth        sufficient    pam_fprintd.so'
                - 'auth        sufficient    pam_unix.so nullok try_first_pass'
                - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
                - 'auth        sufficient    pam_sss.so use_first_pass'
                - 'auth        required      pam_deny.so'
              pam::pam_account_lines:
                - '# Managed by Hiera key pam::pam_account_lines'
                - 'account     required      pam_unix.so'
                - 'account     sufficient    pam_localuser.so'
                - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
                - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
                - 'account     required      pam_permit.so'
              pam::pam_password_lines:
                - '# Managed by Hiera key pam::pam_password_lines'
                - 'password    requisite     pam_cracklib.so try_first_pass retry=3 type='
                - 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
                - 'password    sufficient    pam_sss.so use_authtok'
                - 'password    required      pam_deny.so'
      

      Some things I've tried:

      1:

              class profile::linux::base::pam {
                # resources
                class { 'pam':
                  password-auth-ac  => [
                    lookup('pam::pam_auth_lines')],
                    lookup('pam::pam_account_lines')],
                    lookup('pam::pam_password_lines')],
                    lookup('pam::pam_session_lines')],
                 }
      
      

      2:

      
      	
      	      passwd  => [
      	
      	      lookup('pam::pam_auth_lines'),
      	
      	      lookup('pam::pam_account_lines'),
      	
      	      lookup('pam::pam_password_lines'),
      	
      	      lookup('pam::pam_session_lines'),
      	
      	      ],
      	
      	  }
      
      
              include ::pam
      
      	class profile::linux::base::pam {
      	
      	  # resources
      	
      	    include ::pam
      
      	         lookup('pam::pam_auth_lines')
      	
      	}
      
      
      

      I've tried a few other ways and can't get it to work as I want it to. Can anyone help?

      Thanks

      4 votes