• Activity
  • Votes
  • Comments
  • New
  • All activity
    • Showing only topics with the tag "puppet". Back to normal view

    1. Using ghoneycutt/pam puppet module

      ~comp Ask (advice)
      Hi guys, I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the...

      Hi guys,

      I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the basics down.

      I've configured a few things using modules such as NTP, SSSD and NSSWITCH but I'm just stuck on how I can use this module and pull info from Hiera into it.

      So, lets start with

      .yaml file:

      
        ### nsswitch.conf authentication configuration

        nsswitch::passwd:     'files sss'

        nsswitch::shadow:     'files sss'

      And then looking at the nsswitch.pp file:

      
        ### nsswitch.config setup

        class profile::linux::base::nsswitch {

        # Get heira values

          class { 'nsswitch':

            passwd    => [lookup('nsswitch::passwd')],

            shadow    => [lookup('nsswitch::shadow')],

      Simple enough to call the values I want and works how I want, now I'm trying to do the same type of thing for PAM using the ghoneycutt/pam module and there doesn't seem to be much info on how to use it, or it's just not sinking in for me.

      Some of my PAM Heira values:

              pam::pam_auth_lines:
          - '# Managed by Hiera key pam::pam_auth_lines'
          - 'auth        required      pam_env.so'
          - 'auth        sufficient    pam_fprintd.so'
          - 'auth        sufficient    pam_unix.so nullok try_first_pass'
          - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
          - 'auth        sufficient    pam_sss.so use_first_pass'
          - 'auth        required      pam_deny.so'
        pam::pam_account_lines:
          - '# Managed by Hiera key pam::pam_account_lines'
          - 'account     required      pam_unix.so'
          - 'account     sufficient    pam_localuser.so'
          - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
          - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
          - 'account     required      pam_permit.so'
        pam::pam_password_lines:
          - '# Managed by Hiera key pam::pam_password_lines'
          - 'password    requisite     pam_cracklib.so try_first_pass retry=3 type='
          - 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
          - 'password    sufficient    pam_sss.so use_authtok'
          - 'password    required      pam_deny.so'

      Some things I've tried:

      1:

              class profile::linux::base::pam {
          # resources
          class { 'pam':
            password-auth-ac  => [
              lookup('pam::pam_auth_lines')],
              lookup('pam::pam_account_lines')],
              lookup('pam::pam_password_lines')],
              lookup('pam::pam_session_lines')],
           }

      2:

      
	
	      passwd  => [
	
	      lookup('pam::pam_auth_lines'),
	
	      lookup('pam::pam_account_lines'),
	
	      lookup('pam::pam_password_lines'),
	
	      lookup('pam::pam_session_lines'),
	
	      ],
	
	  }


              include ::pam

      	class profile::linux::base::pam {
	
	  # resources
	
	    include ::pam

	         lookup('pam::pam_auth_lines')
	
	}

      I've tried a few other ways and can't get it to work as I want it to. Can anyone help?

      Thanks

      4 votes