Configures Linux authentication modules (PAM).
↪ attributes/pam.rb
↪ recipes/pam.rb
↪ templates/*/etc_security_limits.conf.erb
↪ templates/*/etc_security_access.conf.erb
↪ templates/*/etc_pam.d_generic.erb
↪ tests/roles/sys_pam_test.rb
↪ files/*/etc_pam.d_sshd
↪ files/*/etc_pam.d_login
↪ libraries/pamupdate_*.rb
All attributes in node['sys']['pam']
:
limits
holds an array of ulimits written to/etc/security/limits.conf
.access
holds an array of rules written to/etc/security/access.conf
.group
holds an array of rules written to/etc/security/group.conf
.
It is possible to write any file in the /etc/pam.d/
directory using attributes
in node⌷'sys']['pamd']
. The key needs to be used as the file to be altered
(e.g. xscreensaver
or ssh
) and the value is a string containing the entire
configuration. However, to change the content of /etc/pam.d/common-*
files,
you are best adviced to use the attributes in node['sys']['pamupdate']
.
This is a minimal ruby rewrite of pam-auth-update.
The options are a little more complicated than just providing one giant string,
but it offers more flexibilty.
Pamupdate configuration is done with profiles.
Each profile configures at least one of the /etc/pam.d/common-_
-files,
and provides information on how to be merged with other profiles configuring
the same files.
The pam-configuration in the /etc/pam.d/common-_
-files is always divided
into two block, the primary and the additional block.
The Primary block contains information modules that either deny or permit access. If none of these modules succeeds, pam_deny is used as fallback which prevents login. The priority of the profile determines the position of the module in the pam-stack. E.g. libpam-heimdal ships a default configuration with priority 704. Since the default unix-profile has a priority of 256, authentication is first delegated to the heimdal-module, only afterwards the unix-module is asked. If two profiles have equal priorities the name of the profile is used for sorting.
In this block modules are configured, which often just modify the user's groups, limits, session or the like. Again, modules are inserted here by highest priority or by name if they have equal priorities.
If you specify configuration of a profile, you must at a minimum provide a number of fields, so that the configuartion can work at all:
Name : This makes the profiles unique, it can be anything you, just try to keep it different from the other modules.
Default
: Set this to "yes" to enable the profile. Anything else disables it.
It must be present, i.e. not nil
Priority
: Must be present to sort the profiles.
To define a profile use the PamUpdate
-library as in sys::pam
:
- Create Profiles with
PamUpdate::Profile.new(values)
. Values can either be a hash of hashes, or a filename. This way you can either configure it from scratch, or use configuration which ships with the packages, e.g./usr/share/pam-configs/krb5
. - Put all the profiles in an array which is used to initialize a writer object:
generate = PamUpdate::Writer.new(profile-array)
. then get the needed strings by runninggenerate.auth
. Supported methods areaccount
,auth
,password
,session
andsession-noninteractive
.
"sys" => {
"pam" => {
"access" => [
"+:devops:10.1.1.1 LOCAL",
"+:ALL:.devops.test LOCAL",
"+:ALL:LOCAL",
"-:ALL:ALL"
],
"group" => [
# minimal specification using defaults:
{ 'usr' => 'tschipfel', 'grp' => 'sudo' }
# complete example (allow dummbabbler to read syslog while
# logging in via console tty1 on workhours)
{
'usr' => 'dummbabbler',
'grp' => 'adm',
'srv' => 'login',
'tty' => 'tty1',
'time' => 'Wk0900-1800'
}
],
"limits" => [
"* hard memlock unlimited",
"* soft memlock unlimited"
]
},
"pamd" => {
"xscreensaver" => "
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
"
},
"pamupdate" => {
"group" => {
:Name => "PAM group"
:Default => "yes"
:Priority => "256"
:"Auth-Type" => "Additional"
:Auth => "optional pam_group.so"
}
}
}
If the attribute node['sys']['pam']['access']
is set:
-
files/*/etc_pam.d_login
is deployed at/etc/pam.d/login
. It contains the default config as shipped by thelogin
package with thepam_access
module enabled. -
files/*/etc_pam.d_sshd
is deployed to/etc/pam.d/sshd
if/etc/ssh/sshd_config
exists (ie. SSH server is installed). It contains the default config as shipped by theopenssh-server
package with thepam_access
module enabled. See alsosys::ssh