Add template for performing custom sshd pam config

Specific use case is to be able to supply options to pam_vas3 that are
specifically needed (and should only be configured) for sshd to resolv
intermittent ssh login failures with QAS.

README.md

@@ -188,8 +188,36 @@ pam_d_sshd_template
 -------------------
 Content template of $pam_d_sshd_path. If undef, parameter is set based on the OS version.
 
+For cases where a full customization of the sshd PAM configuration is required, set pam_d_sshd_template to use pam/sshd.custom.erb that is provided with this module.
+pam/sshd.custom.erb must be further configured with the parameters pam_sshd_auth_lines, pam_sshd_account_lines, pam_sshd_password_lines and pam_sshd_session_lines.
+Note that the pam_d_sshd_template parameter is a no-op on Solaris.
+
 - *Default*: undef, default is set based on OS version
 
+pam_sshd_auth_lines
+-------------------
+An ordered array of strings that define the content for PAM sshd auth. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
+
+- *Default*: undef
+
+pam_sshd_account_lines
+----------------------
+An ordered array of strings that define the content for PAM sshd account. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
+
+- *Default*: undef
+
+pam_sshd_password_lines
+-----------------------
+An ordered array of strings that define the content for PAM sshd password. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
+
+- *Default*: undef
+
+pam_sshd_session_lines
+----------------------
+An ordered array of strings that define the content for PAM sshd session. This setting is required and only valid if pam_d_sshd_template is configured to use the pam/sshd.custom.erb template.
+
+- *Default*: undef
+
 pam_auth_lines
 --------------
 An ordered array of strings that define the content for PAM auth. If undef, parameter is set based on the OS version.

manifests/init.pp

@@ -23,6 +23,10 @@
  $pam_d_sshd_group = 'root',
  $pam_d_sshd_mode = '0644',
  $pam_d_sshd_template = undef,
+ $pam_sshd_auth_lines = undef,
+ $pam_sshd_account_lines = undef,
+ $pam_sshd_password_lines = undef,
+ $pam_sshd_session_lines = undef,
  $pam_auth_lines = undef,
  $pam_account_lines = undef,
  $pam_password_lines = undef,
@@ -1113,6 +1117,26 @@
  $my_pam_d_login_template = $pam_d_login_template
  }
 
+ if $pam_d_sshd_template == 'pam/sshd.custom.erb' {
+ if $pam_sshd_auth_lines == undef or
+ $pam_sshd_account_lines == undef or
+ $pam_sshd_password_lines == undef or
+ $pam_sshd_session_lines == undef {
+ fail('pam_sshd_[auth|account|password|session]_lines required when using the pam/sshd.custom.erb template')
+ }
+ validate_array($pam_sshd_auth_lines)
+ validate_array($pam_sshd_account_lines)
+ validate_array($pam_sshd_password_lines)
+ validate_array($pam_sshd_session_lines)
+ } else {
+ if $pam_sshd_auth_lines != undef or
+ $pam_sshd_account_lines != undef or
+ $pam_sshd_password_lines != undef or
+ $pam_sshd_session_lines != undef {
+ fail('pam_sshd_[auth|account|password|session]_lines are only valid when pam_d_sshd_template is configured with the pam/sshd.custom.erb template')
+ }
+ }
+
  if $pam_d_sshd_template == undef {
  $my_pam_d_sshd_template = $default_pam_d_sshd_template
  } else {

spec/classes/init_spec.rb

@@ -273,6 +273,44 @@
 
  describe 'config files' do
  platforms.sort.each do |k,v|
+ context "when configuring pam_d_sshd_template on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do
+ let :facts do
+ { :osfamily => v[:osfamily],
+ :"#{v[:releasetype]}" => v[:release],
+ :lsbdistid => v[:lsbdistid],
+ }
+ end
+
+ let (:params) do
+ { :pam_d_sshd_template => 'pam/sshd.custom.erb',
+ :pam_sshd_auth_lines => [ 'auth_line1', 'auth_line2' ],
+ :pam_sshd_account_lines => [ 'account_line1', 'account_line2' ],
+ :pam_sshd_session_lines => [ 'session_line1', 'session_line2' ],
+ :pam_sshd_password_lines => [ 'password_line1', 'password_line2' ],
+ }
+ end
+
+ sshd_custom_content = <<-END.gsub(/^\s+\|/, '')
+ |# This file is being maintained by Puppet.
+ |# DO NOT EDIT
+ |#
+ |auth_line1
+ |auth_line2
+ |account_line1
+ |account_line2
+ |password_line1
+ |password_line2
+ |session_line1
+ |session_line2
+ END
+
+ if v[:osfamily] == 'Solaris'
+ it { should_not contain_file('pam_d_sshd') }
+ else
+ it { should contain_file('pam_d_sshd').with('content' => sshd_custom_content) }
+ end
+ end
+
  context "with specifying services param on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do
  let :facts do
  { :osfamily => v[:osfamily],
@@ -794,6 +832,97 @@
  it { should contain_class('pam') }
  end
  end
+
+ [:pam_sshd_auth_lines, :pam_sshd_account_lines, :pam_sshd_password_lines, :pam_sshd_session_lines].each do |param|
+ context "with pam_d_sshd_template set to pam/sshd.custom.erb when only #{param} is missing" do
+ let :full_params do
+ {
+ :pam_sshd_auth_lines => %w(auth_line1 auth_line2),
+ :pam_sshd_account_lines => %w(account_line1 account_line2),
+ :pam_sshd_session_lines => %w(session_line1 session_line2),
+ :pam_sshd_password_lines => %w(password_line1 password_line2),
+ :pam_d_sshd_template => 'pam/sshd.custom.erb',
+ }
+ end
+ let :facts do
+ {
+ :osfamily => v[:osfamily],
+ :"#{v[:releasetype]}" => v[:release],
+ :lsbdistid => v[:lsbdistid],
+ }
+ end
+ let(:params) {
+ # remove param from full_params hash before applying
+ full_params.delete(param)
+ full_params
+ }
+
+ it 'should fail' do
+ expect { should contain_class(subject) }.to raise_error(Puppet::Error, %r{pam_sshd_\[auth\|account\|password\|session\]_lines required when using the pam/sshd.custom.erb template})
+ end
+ end
+ end
+
+ [ :pam_sshd_auth_lines, :pam_sshd_account_lines, :pam_sshd_password_lines, :pam_sshd_session_lines ].each do |param|
+ context "with #{param} specified and pam_d_sshd_template not specified on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do
+ let :facts do
+ { :osfamily => v[:osfamily],
+ :"#{v[:releasetype]}" => v[:release],
+ :lsbdistid => v[:lsbdistid],
+ }
+ end
+
+ let(:params) { { param => [ '#' ] } }
+
+ it "should fail" do
+ expect {
+ should contain_class('pam')
+ }.to raise_error(Puppet::Error, %r{pam_sshd_\[auth\|account\|password\|session\]_lines are only valid when pam_d_sshd_template is configured with the pam/sshd.custom.erb template})
+ end
+ end
+ end
  end
  end
+
+ describe 'variable type and content validations' do
+ # set needed custom facts and variables
+ let(:facts) do
+ {
+ :operatingsystemmajrelease => '7',
+ :osfamily => 'RedHat',
+ }
+ end
+ let(:mandatory_params) { {} }
+
+ validations = {
+ 'array for pam_sshd_(auth|account|password|session)_lines' => {
+ :name => %w(pam_sshd_auth_lines pam_sshd_account_lines pam_sshd_password_lines pam_sshd_session_lines),
+ :params => { :pam_d_sshd_template => 'pam/sshd.custom.erb', :pam_sshd_auth_lines => ['#'], :pam_sshd_account_lines => ['#'], :pam_sshd_password_lines => ['#'], :pam_sshd_session_lines => ['#']},
+ :valid => [%w(array)],
+ :invalid => ['string', { 'ha' => 'sh' }, 3, 2.42, true, false],
+ :message => 'is not an Array',
+ },
+ }
+
+ validations.sort.each do |type, var|
+ var[:name].each do |var_name|
+ var[:params] = {} if var[:params].nil?
+ var[:valid].each do |valid|
+ context "when #{var_name} (#{type}) is set to valid #{valid} (as #{valid.class})" do
+ let(:params) { [mandatory_params, var[:params], { :"#{var_name}" => valid, }].reduce(:merge) }
+ it { should compile }
+ end
+ end
+
+ var[:invalid].each do |invalid|
+ context "when #{var_name} (#{type}) is set to invalid #{invalid} (as #{invalid.class})" do
+ let(:params) { [mandatory_params, var[:params], { :"#{var_name}" => invalid, }].reduce(:merge) }
+ it 'should fail' do
+ expect { should contain_class(subject) }.to raise_error(Puppet::Error, /#{var[:message]}/)
+ end
+ end
+ end
+ end # var[:name].each
+ end # validations.sort.each
+ end # describe 'variable type and content validations'
 end

templates/sshd.custom.erb

@@ -0,0 +1,15 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+#
+<% @pam_sshd_auth_lines.each do |auth_line| -%>
+<%= auth_line %>
+<% end -%>
+<% @pam_sshd_account_lines.each do |account_line| -%>
+<%= account_line %>
+<% end -%>
+<% @pam_sshd_password_lines.each do |password_line| -%>
+<%= password_line %>
+<% end -%>
+<% @pam_sshd_session_lines.each do |session_line| -%>
+<%= session_line %>
+<% end -%>