Using ghoneycutt/pam puppet module
Hi guys, I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the...
Hi guys,
I'm really stumped and looking for a nudge in the right direction for how to utilise the ghoneycutt/pam module in puppet. Relatively new to this but got what I'd like to think as most the basics down.
I've configured a few things using modules such as NTP, SSSD and NSSWITCH but I'm just stuck on how I can use this module and pull info from Hiera into it.
So, lets start with
.yaml file:
### nsswitch.conf authentication configuration
nsswitch::passwd: 'files sss'
nsswitch::shadow: 'files sss'
And then looking at the nsswitch.pp file:
### nsswitch.config setup
class profile::linux::base::nsswitch {
# Get heira values
class { 'nsswitch':
passwd => [lookup('nsswitch::passwd')],
shadow => [lookup('nsswitch::shadow')],
Simple enough to call the values I want and works how I want, now I'm trying to do the same type of thing for PAM using the ghoneycutt/pam module and there doesn't seem to be much info on how to use it, or it's just not sinking in for me.
Some of my PAM Heira values:
pam::pam_auth_lines:
- '# Managed by Hiera key pam::pam_auth_lines'
- 'auth required pam_env.so'
- 'auth sufficient pam_fprintd.so'
- 'auth sufficient pam_unix.so nullok try_first_pass'
- 'auth requisite pam_succeed_if.so uid >= 500 quiet'
- 'auth sufficient pam_sss.so use_first_pass'
- 'auth required pam_deny.so'
pam::pam_account_lines:
- '# Managed by Hiera key pam::pam_account_lines'
- 'account required pam_unix.so'
- 'account sufficient pam_localuser.so'
- 'account sufficient pam_succeed_if.so uid < 500 quiet'
- 'account [default=bad success=ok user_unknown=ignore] pam_sss.so'
- 'account required pam_permit.so'
pam::pam_password_lines:
- '# Managed by Hiera key pam::pam_password_lines'
- 'password requisite pam_cracklib.so try_first_pass retry=3 type='
- 'password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
- 'password sufficient pam_sss.so use_authtok'
- 'password required pam_deny.so'
Some things I've tried:
1:
class profile::linux::base::pam {
# resources
class { 'pam':
password-auth-ac => [
lookup('pam::pam_auth_lines')],
lookup('pam::pam_account_lines')],
lookup('pam::pam_password_lines')],
lookup('pam::pam_session_lines')],
}
2:
passwd => [
lookup('pam::pam_auth_lines'),
lookup('pam::pam_account_lines'),
lookup('pam::pam_password_lines'),
lookup('pam::pam_session_lines'),
],
}
include ::pam
class profile::linux::base::pam {
# resources
include ::pam
lookup('pam::pam_auth_lines')
}
I've tried a few other ways and can't get it to work as I want it to. Can anyone help?
Thanks