Using ghoneycutt/pam puppet module
Hi guys,
I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the basics down.
I've configured a few things using modules such as NTP, SSSD and NSSWITCH but I'm just stuck on how I can use this module and pull info from Hiera into it.
So, lets start with
.yaml file:
### nsswitch.conf authentication configuration
nsswitch::passwd: 'files sss'
nsswitch::shadow: 'files sss'
And then looking at the nsswitch.pp file:
### nsswitch.config setup
class profile::linux::base::nsswitch {
# Get heira values
class { 'nsswitch':
passwd => [lookup('nsswitch::passwd')],
shadow => [lookup('nsswitch::shadow')],
Simple enough to call the values I want and works how I want, now I'm trying to do the same type of thing for PAM using the ghoneycutt/pam module and there doesn't seem to be much info on how to use it, or it's just not sinking in for me.
Some of my PAM Heira values:
pam::pam_auth_lines:
- '# Managed by Hiera key pam::pam_auth_lines'
- 'auth required pam_env.so'
- 'auth sufficient pam_fprintd.so'
- 'auth sufficient pam_unix.so nullok try_first_pass'
- 'auth requisite pam_succeed_if.so uid >= 500 quiet'
- 'auth sufficient pam_sss.so use_first_pass'
- 'auth required pam_deny.so'
pam::pam_account_lines:
- '# Managed by Hiera key pam::pam_account_lines'
- 'account required pam_unix.so'
- 'account sufficient pam_localuser.so'
- 'account sufficient pam_succeed_if.so uid < 500 quiet'
- 'account [default=bad success=ok user_unknown=ignore] pam_sss.so'
- 'account required pam_permit.so'
pam::pam_password_lines:
- '# Managed by Hiera key pam::pam_password_lines'
- 'password requisite pam_cracklib.so try_first_pass retry=3 type='
- 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
- 'password sufficient pam_sss.so use_authtok'
- 'password required pam_deny.so'
Some things I've tried:
1:
class profile::linux::base::pam {
# resources
class { 'pam':
password-auth-ac => [
lookup('pam::pam_auth_lines')],
lookup('pam::pam_account_lines')],
lookup('pam::pam_password_lines')],
lookup('pam::pam_session_lines')],
}
2:
passwd => [
lookup('pam::pam_auth_lines'),
lookup('pam::pam_account_lines'),
lookup('pam::pam_password_lines'),
lookup('pam::pam_session_lines'),
],
}
include ::pam
class profile::linux::base::pam {
# resources
include ::pam
lookup('pam::pam_auth_lines')
}
I've tried a few other ways and can't get it to work as I want it to. Can anyone help?
Thanks
Meta comment warning: Moved to ~comp due to the technical nature of the topic. ~tech is more for articles/discussions intended for a general audience.
Thanks, didn't realise ~comp was for computing (makes sense though).
No problem, and no worries. It's going to take new users a little time to get used to things here and that's totally understandable. It's why Deimos has granted some of us the ability to do things like edit tags and move topics to different groups, so that we can help fix any mistakes people make along the way. :)
I hate to say but I was making such a rookie mistake.
I wasn't including profile::linux::base::pam within my base.pp file:
As soon as I added this in I could see some of the manual changes I made to the files get updated with the default values, after uncommenting my hiera values everything fell into place. Can't believe I missed it, tried everything else I could think of before.