Table of Contents

• Overview
• This is a SIMP module
• Module Description
• Setup
  • Setup Requirements
  • What pam Affects
• Usage
  • Basic Usage
  • Restricting System Logins (pam_access)
    • Managing System Access
  • Restricting Resource Usage (pam_limits)
  • Restricting su to the wheel Group
  • Managing /etc/security/faillock.conf
    • /etc/security/faillock.conf Example With All Parameters
  • Managing /etc/security/pwhistory.conf
    • /etc/security/pwhistory.conf Example With All Parameters
• Development
  • Acceptance tests

Overview

This module configures PAM in an authoritative, but flexible, manner.

See REFERENCE.md for API details.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
• If used independently, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp_options for details.

Module Description

This module provides a reasonably safe configuration of the main PAM stack focused on common security and compliance settings. Care has been taken to provide a significant set of switches and override mechanisms in order to provide for user flexibility.

Setup

Setup Requirements

No special dependencies are required for core functionality of this module.

You will need to download the simp/oath if you want to use the EXPERIMENTAL OATH (TOTP/HOTP) support.

What pam Affects

The pam module modifies various settings in the /etc/pam.d/ and /etc/security directories related to user logins via various authentication methods.

Usage

Basic Usage

To set up PAM using a sane set of defaults, you can simply include the class as follows:

include 'pam'

This will set up PAM with the following capabilities:

• pwquality settings
• faillock support with auto-unlocking
• Password hash algorithm strengthening
• Password history management
• Automatic home directory creation
• User TTY auditing (only root by default)
• Overall default deny

Restricting System Logins (pam_access)

To set up a 'default deny' policy for your system (local root logins are always allowed):

include 'pam::access'

Managing System Access

There are two methods for allowing users/groups into the system. The first is to use the pam::access::rule defined type.

The parameters are named after their counterparts as defined in access.conf(5).

pam::access::rule { 'Allow Security Group from Anywhere':
  users   => ['(security)'],
  origins => ['ALL']
}

pam::access::rule { 'Allow Alice from Home':
  users   => ['alice'],
  origins => ['alice.home.net']
}

pam::access::rule { 'Allow Bob from Local':
  users   => ['bob'],
  origins => ['LOCAL'],
  order   => 2000
}

pam::access::rule { 'Deny Bob from Remote':
  users      => ['bob'],
  origins    => ['ALL'],
  permission => '-',
  order      => 2001
}

The second method is to define the access list as a Hash directly in Hiera:

---
pam::access::users:
  defaults:
    origins:
      - ALL
    permission: "+"
    "(security)":
    alice:
      origins:
        - 'alice.home.net'
    # Note, the hiera method is not as flexible so we needed to use the 'bob'
    # group so that we could properly restrict the 'bob' user.
    "(bob)":
      origins:
        - 'LOCAL'
      order: 2000
    'bob':
      permission: "-"
      order: 2001

Restricting Resource Usage (pam_limits)

To activate management of various PAM resource limits via /etc/security/limits.conf:

include 'pam::limits'

You can then use the module to restrict resource limits for logged in accordance with the pam_limits(8) documentation.

pam::limits::rule { 'Limit Number of Processes for all Users':
  domains => ['*'],
  type    => 'soft',
  item    => 'nproc',
  value   => 50
}

The second method is to define the rule list as a Hash directly in Hiera:

---
pam::limits::rules:
  disable_core_for_all:
    domains:
      - '*'
    type: 'hard'
    item: 'core'
    value: 0
    order: 100

Restricting su to the wheel Group

To restrict the use of su to the wheel group:

include 'pam::wheel'

You can change the target group by updating the value of pam::wheel::wheel_group via Hiera.

Managing /etc/security/faillock.conf

To manage faillock with /etc/security/faillock.conf set the following in hieradata:

pam::manage_faillock_conf: true

A couple of things to note here are:

• This feature will only work on systems running EL 8 (or equivalent) and above.

• pam::faillock must still be true for faillock to work appropriately

• By default, /etc/security/faillock.conf will be empty except for a comment saying the file is managed by puppet. To set content in the file, the following parameters are available:

  • pam::faillock_log_dir
  • pam::faillock_audit
  • pam::display_account_lock
  • pam::faillock_no_log_info
  • pam::faillock_local_users_only
  • pam::faillock_nodelay
  • pam::deny
  • pam::fail_interval
  • pam::unlock_time
  • pam::even_deny_root
  • pam::root_unlock_time
  • pam::faillock_admin_group

/etc/security/faillock.conf Hieradata Example With All Parameters

pam::faillock: true
pam::manage_faillock_conf: true
pam::faillock_log_dir: '/var/log/faillock'
pam::faillock_audit: true
pam::display_account_lock: true
pam::faillock_no_log_info: false
pam::faillock_local_users_only: false
pam::faillock_nodelay: false
pam::deny: 5
pam::fail_interval: 900
pam::unlock_time: 900
pam::even_deny_root: true
pam::root_unlock_time: 60
pam::faillock_admin_group: 'wheel'

Managing /etc/security/pwhistory.conf

To manage pwhistory with /etc/security/pwhistory.conf set the following in hieradata:

pam::manage_pwhistory_conf: true

A couple of things to note here are:

• This feature will only work on systems running EL 8 (or equivalent) and above.
• This feature replaced management of /etc/security/opasswd in the SIMP Useradd module as of version 7.0.0 and will conflict with any version of useradd older than 1.0.0.
  • The parameter to control where password history is set is pam::remember_file

/etc/security/pwhistory.conf Hieradata Example With All Parameters

pam::manage_pwhistory_conf: true
pam::remember: 32
pam::remember_retry: 3
pam::remember_file: '/etc/security/opasswd'
pam::remember_debug: true
pam::remember_for_root: true

Development

Please read our Contribution Guide

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle exec rake beaker:suites

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes

• BEAKER_debug: show the commands being run on the STU and their output.
• BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
• BEAKER_fips=yes: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.

Please refer to the SIMP Beaker Helpers documentation for more information.

Reference

Table of Contents

Classes

• pam: Ensure that reasonable PAM security options are applied.
• pam::access: Set up /etc/security/access.conf with a default to allow root to login locally.
• pam::access::default_deny: Add a "default deny" rule to pam_access
• pam::config: Configuration class called from pam.
• pam::install: Install the required PAM packages
• pam::limits: Set up /etc/security/limits.conf
• pam::wheel: Enable wheel restrictions for su access

Defined types

• pam::access::rule: Set up entries in /etc/security/access.conf
• pam::auth: Set up the various -auth files in /etc/pam.d.
• pam::limits::rule: domain type item value resource limiting sets as defined in limits.conf(5).

Data types

• Pam::AccountUnlockTime: Valid account unlock values
• Pam::AuthSections: Valid PAM auth sections
• Pam::HashAlgorithm: Valid PAM password hash algorithms
• Pam::Limits::Item: Valid PAM limits
• Pam::Limits::Value: Valid PAM limit values
• Pam::PasswordBackends: Valid PAM password validation backends

Classes

pam

It also takes into account the global SIMP settings for LDAP and SSSD.

Many options are exposed here that may affect a large number of lower-level PAM module settings. This is done to provide continuity across the PAM stack where possible.

Parameters

The following parameters are available in the pam class:

• password_check_backend
• locale_file
• cracklib_difok
• cracklib_maxrepeat
• cracklib_maxsequence
• cracklib_maxclassrepeat
• cracklib_gecoscheck
• cracklib_enforce_for_root
• cracklib_dcredit
• cracklib_ucredit
• cracklib_lcredit
• cracklib_ocredit
• cracklib_minclass
• cracklib_minlen
• cracklib_reject_username
• cracklib_retry
• cracklib_badwords
• cracklib_dictpath
• dictcheck
• rm_pwquality_conf_d
• deny
• faillock
• display_account_lock
• fail_interval
• homedir_umask
• manage_pwhistory_conf
• remember
• remember_retry
• remember_for_root
• remember_file
• remember_debug
• even_deny_root
• root_unlock_time
• hash_algorithm
• rounds
• uid
• unlock_time
• preserve_ac
• warn_if_unknown
• oath
• oath_window
• deny_if_unknown
• use_netgroups
• use_openshift
• sssd
• tty_audit_users
• su_content_extra
• su_content
• other_content
• auth_sections
• cert_auth
• inactive
• auth_content_pre
• fingerprint_auth_content
• system_auth_content
• password_auth_content
• smartcard_auth_content
• enable
• enable_warning
• enable_separator
• separator
• disable_authconfig
• use_authselect
• auth_basedir
• package_ensure
• manage_faillock_conf
• faillock_log_dir
• faillock_audit
• faillock_no_log_info
• faillock_local_users_only
• faillock_nodelay
• faillock_admin_group

password_check_backend

Data type: Pam::PasswordBackends

The password checking library to use

• The default is based on the OS being targeted and is pulled from module data

locale_file

Data type: Optional[Stdlib::Absolutepath]

The path to the locale configuration file on the system

• Explicitly set to undef to disable

Default value: undef

cracklib_difok

Data type: Integer[0]

The number of character changes between the old password and the new password that are enough to accept the new password

Default value: 4

cracklib_maxrepeat

Data type: Integer[0]

Reject passwords which contain more than this many of the same consecutive characters

Default value: 2

cracklib_maxsequence

Data type: Integer[0]

Reject passwords which contain monotonic character sequences longer than this

• The default is 0 which means that this check is disabled. Examples of such sequence are 12345 or fedcb

• Most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password

Default value: 4

cracklib_maxclassrepeat

Data type: Integer[0]

Reject passwords which contain more than this many consecutive characters of the same class

• Character classes include:
  • Upper Case
  • Lower Case
  • Digit
  • Special Character

Default value: 3

cracklib_gecoscheck

Data type: Boolean

Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password

Default value: true

cracklib_enforce_for_root

Data type: Boolean

Enforce all password check settings for the root user

Default value: true

cracklib_dcredit

Data type: Integer

The required credit for having digits in the new password

• For Positive Integers: If you have less than or N digits, each digit will count +1 towards meeting the current minlen value

• For Negative Integers: The minimum number of digits that must be met for a new password

Default value: -1

cracklib_ucredit

Data type: Integer

The required credit for having upper case letters in the new password

• For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value

• For Negative Integers: The minimum number of characters that must be met for a new password

Default value: -1

cracklib_lcredit

Data type: Integer

The required credit for having lower case letters in the new password

• For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value

• For Negative Integers: The minimum number of characters that must be met for a new password

Default value: -1

cracklib_ocredit

Data type: Integer

The required credit for having special characters in the new password

• For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value

• For Negative Integers: The minimum number of characters that must be met for a new password

Default value: -1

cracklib_minclass

Data type: Integer[0]

The minimum number of required classes for the new password

• The four classes are digits, upper and lower letters and other characters

• The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.

Default value: 3

cracklib_minlen

Data type: Integer[0]

The minimum acceptable size for the new password (plus one if credits are not disabled)

Default value: 15

cracklib_reject_username

Data type: Boolean

Don't let the username be used in password

Default value: true

cracklib_retry

Data type: Integer[0]

Prompt user at most N times before returning with error

Default value: 3

cracklib_badwords

Data type: Optional[Array[String[1],1]]

Array of words that must not be contained in the password. These are additional words to the cracklib dictionary check.

Default value: undef

cracklib_dictpath

Data type: Optional[StdLib::Absolutepath]

Path to the cracklib dictionaries. Default is to use the cracklib default.

Default value: undef

dictcheck

Data type: Integer[0]

If nonzero, check whether the password (with possible modifications) matches a word in a dictionary. Currently the dictionary check is performed using the cracklib library. This option will be ignored unless the OS major version is higher than 7.

Default value: 1

rm_pwquality_conf_d

Data type: Boolean

Remove the /etc/security/pwquality.conf.d directory and all contents.

• This ensures authoritative management of pwquality without the ability of users to override our settings directly on the system.

Default value: true

deny

Data type: Integer[0]

The number of failed attempts before PAM denies a user from logging in.

Default value: 5

faillock

Data type: Boolean

Enable or disable the use of faillock

Default value: true

display_account_lock

Data type: Boolean

Display to the remote user that their account has been locked.

Default value: false

fail_interval

Data type: Integer[0]

Sets the time until the check fails.

Default value: 900

homedir_umask

Data type: Simplib::Umask

Sets the file mode creation mask of the user home directories

Default value: '0077'

manage_pwhistory_conf

Data type: Boolean

If true, password history settings will be managed inside of /etc/security/pwhistory.conf instead of inline in the pam auth files. This parameter will be ignored if the host is EL 7.

Default value: false

remember

Data type: Integer[0]

The last N passwords for each user are saved in $remember_file in order to force password change history and keep the user from alternating between the same password too frequently

Default value: 24

remember_retry

Data type: Integer[0]

Allow this many retries

Default value: 1

remember_for_root

Data type: Boolean

Remember the last $remember passwords for the root user.

Default value: true

remember_file

Data type: StdLib::Absolutepath

The location for user's remembered passwords to be saved.

Default value: '/etc/security/opasswd'

remember_debug

Data type: Boolean

If true, turn on debugging for pwhistory to syslog.

Default value: false

even_deny_root

Data type: Boolean

Enforce an account lockout for the root account.

Default value: true

root_unlock_time

Data type: Integer[0]

Allow access after N seconds to root account after failed attempt.

• Has no effect if even_deny_root is not set

Default value: 60

hash_algorithm

Data type: Pam::HashAlgorithm

The password hashing algorithm to use

Default value: 'sha512'

rounds

Data type: Integer[0]

Set the optional number of rounds of the SHA256, SHA512 and Blowfish password hashing algorithms to N

Default value: 10000

uid

Data type: Integer[0]

Allow user logins for users with UID higher than N

Default value: simplib::lookup('simp_options::uid::min', { 'default_value' => pick(fact('login_defs.uid_min'), 1000) })

unlock_time

Data type: Pam::AccountUnlockTime

Allow acesss after N seconds to user account after failed attempt.

Default value: 900

preserve_ac

Data type: Boolean

Keep the original -ac files around for reference

Default value: false

warn_if_unknown

Data type: Boolean

If you make it to the other PAM configuration file, then provide a warning that the login method was uncaught by other PAM stacks

Default value: true

oath

Data type: Boolean

Configures to use pam_oath TOTP in the system-auth pam stack. EXPERIMENTAL: Inherits from simp_options::oath, defaults to false if not found.

• WARNING: pupmod-simp-oath is a dependency of this option. If this is set to true without the oath module, you will be unable to log in locally!

Default value: simplib::lookup('simp_options::oath', { 'default_value' => false })

oath_window

Data type: Integer[0]

Sets the TOTP window (Defined in RFC 6238 section 5.2)

Default value: 1

deny_if_unknown

Data type: Boolean

If true, deny any access to an application that falls all the way through the PAM stack to other

Default value: true

use_netgroups

Data type: Boolean

Default: false Set PAM up to use NIS netgroups.

Default value: false

use_openshift

Data type: Boolean

Set PAM to work with OpenShift

Default value: false

sssd

Data type: Boolean

Set PAM to work with SSSD

Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })

tty_audit_users

Data type: Array[String[0]]

The users for which TTY auditing is enabled

• Set to an empty Array to not audit TTY actions for any user

Default value: ['root']

su_content_extra

Data type: Optional[Array[String]]

User-specified content to be added to /etc/pam.d/su in addition to the rest of the templated content

Default value: undef

su_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/su instead of the templated content

Default value: undef

other_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/other instead of the templated content

Default value: undef

auth_sections

Data type: Pam::AuthSections

The PAM *-auth files to manage

• Set to an empty Array to not manage any sections

Default value: ['fingerprint', 'system', 'password', 'smartcard']

cert_auth

Data type: Optional[Enum['try','require']]

If set, should choose either 'require' or 'try' to set 'require_cert_auth' or 'try_cert_auth' in the auth files

Default value: undef

inactive

Data type: Optional[Integer]

If set, the number of days before a user can be inactive on a system before their account becomes locked

Default value: undef

auth_content_pre

Data type: Optional[Array[String]]

Content to prepend to the auth configs in addition to templated content

• Set to an empty Array to not prepend any default content

Default value: undef

fingerprint_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/fingerprint_auth instead of the templated content

Default value: undef

system_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/system_auth instead of the templated content

Default value: undef

password_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/password_auth instead of the templated content

Default value: undef

smartcard_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/smartcard_auth instead of the templated content

Default value: undef

enable

Data type: Boolean

If you have included this module but want it to stop managing your configuration files set this to false

Default value: true

enable_warning

Data type: Boolean

Will issue a warning if this module is included but global catalyst simp_options::pam is set to false

Default value: true

enable_separator

Data type: Boolean

Enable a custom list separator. WARNING this setting may break pam_access on some platforms. Use with caution

Default value: true

separator

Data type: String[0]

Separator to use for user and origin lists

Default value: ','

disable_authconfig

Data type: Boolean

Disable authconfig from being used, as it breaks this module's reconfiguration of PAM.

Default value: true

use_authselect

Data type: Boolean

If true, the files created in this module will be created in a simp directory and authselect will simply include the files created under that new directory. In short, if this value is true, the files will be created the same way, they will just live under a different directory and be included by the original files

Default value: simplib::lookup('simp_options::authselect', { 'default_value' => false })

auth_basedir

Data type: Optional[StdLib::Absolutepath]

The directory in which the auth files will be created

Default value: undef

package_ensure

Data type: Simplib::PackageEnsure

Ensure setting for all packages installed by this module

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })

manage_faillock_conf

Data type: Boolean

If true, the faillock parameters will be managed within /etc/security/faillock.conf instead of inline in the auth files. This parameter will be ignored on el7 and earlier systems.

Default value: false

faillock_log_dir

Data type: Optional[Stdlib::Absolutepath]

The directory where the user files with the failure records are kept.

Default value: undef

faillock_audit

Data type: Boolean

If true, log the user name into the system log if the user is not found.

Default value: true

faillock_no_log_info

Data type: Boolean

If true, don't log informative messages via syslog.

Default value: false

faillock_local_users_only

Data type: Boolean

If true, only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.

Default value: false

faillock_nodelay

Data type: Boolean

If true, don't enforce a delay after authentication failures.

Default value: false

faillock_admin_group

Data type: Optional[String]

If a group name is specified with this option, members of the group will be handled by this module the same as the root account.

Default value: undef

pam::access

Use pam::access::rule to manage access.conf entries and remember that order matters (first match wins)!

• See also
  • access.conf(5)

Parameters

The following parameters are available in the pam::access class:

• default_deny
• users
• access_file_mode

default_deny

Data type: Boolean

Add a "default deny" rule as the last match of the rule set

Default value: true

users

Data type: Optional[Hash]

A hash that can be used to create several pam::access::rule resources set in Hiera. Each member of the hash will be a resource (this example is from hiera):

pam::access::users: defaults: origins:

    - ALL
  permission: '+'
vagrant:
'(simp)':
test:
  origins:
    - 192.168.0.1/24
baddude:
  permission: '-'

Default value: undef

access_file_mode

Data type: Stdlib::Filemode

File mode for /etc/security/access.conf

Default value: '0644'

pam::access::default_deny

Always allow root locally for safety

pam::config

Configuration class called from pam.

pam::install

Install the required PAM packages

pam::limits

Add entries with pam::limits::rule

• See also
  • limits.conf(5)

Parameters

The following parameters are available in the pam::limits class:

• rules

rules

Data type: Optional[Hash]

A Hash that can be used to create pam::limits::rule resources via Hiera.

• The Hash must be formatted suitably for passing directly into create_resource()
• Remember that order matters:

@example Hiera formatted rules

pam::limits::rules: disable_core_for_user1: domains:

    - 'user1'
  type: 'hard'
  item: 'core'
  value: 0
  order: 50
disable_core_for_all:
  domains:
    - '*'
  type: 'hard'
  item: 'core'
  value: 0
  order: 100

Default value: undef

pam::wheel

Enable wheel restrictions for su access

• See also
  • pam_wheel(8)

Parameters

The following parameters are available in the pam::wheel class:

• wheel_group
• root_only
• use_openshift
• su_content_extra
• content

wheel_group

Data type: String[1]

What group should be the wheel equivalent

Default value: 'wheel'

root_only

Data type: Boolean

Only enforce wheel restrictions when changing to the root user

Default value: false

use_openshift

Data type: Boolean

Whether or not to configure things in such a way that the openshift puppet code is compatible

Default value: $pam::use_openshift

su_content_extra

Data type: Optional[Array[String]]

User-specified content added after rootok but before further templated content

Default value: $pam::su_content_extra

content

Data type: Optional[String[1]]

Optional custom content for file

Default value: $pam::su_content

Defined types

pam::access::rule

These entries are the permission:users:origins sets as defined in access.conf(5).

• See also
  • access.conf(5)

Examples

Add administrator group access

pam::access::rule { 'administrators':
  permission => '+',
  users      => ['(administrators)'],
  origins    => ['ALL'],
  order      => 1000
}

Add everyone except group bad_guys

pam::access::rule { 'bad_guys':
  permission => '+',
  users      => ['ALL EXCEPT (bad_guys)'],
  origins    => ['ALL'],
  order      => 1000
}

Add everyone except the hippopotamus

pam::access::rule { 'but_not_the_hippopotamus':
  permission => '+',
  users      => ['ALL EXCEPT hippopotamus'],
  origins    => ['ALL'],
  order      => 1000
}

Allow group auditors from two specific hosts

pam::access::rule { 'auditors_from_trusted_nodes':
  permission => '+',
  users      => ['(auditors)'],
  origins    => ['1.2.3.4','5.6.7.8'],
  order      => 1000
}

Parameters

The following parameters are available in the pam::access::rule defined type:

• name
• comment
• permission
• users
• origins
• order

name

Data type: String

A unique name for the resource

comment

Data type: Optional[String]

A comment to include with this entry

Default value: undef

permission

Data type: Enum['+','-']

If +, grant access. If -, revoke access

Default value: '+'

users

Data type: Array[String]

The users, groups, or netgroups to allow access to the system.

Syntax:

```
user     => username
group    => (groupname)
netgroup => @netgroup
```

• Entries are not validated so complex expressions are allowed such as ALL EXCEPT (bad_guys)

origins

Data type: Array[String]

The locations from which users are allowed to login to the system

• See access.conf(5) for the full list

order

Data type: Integer[1,9999999999]

The order in which you want this rule to appear

• If you do not specify a order, the rules will be listed in alphanumeric order by name

Default value: 1000

pam::auth

This is only meant to be called via the main pam class. Documentation is identical to that in the pam class.

If you want to change the umask on dynamically created home directories, you'll need to set oddjob::mkhomedir::umask.

Parameters

The following parameters are available in the pam::auth defined type:

• password_check_backend
• locale_file
• auth_content_pre
• manage_faillock_conf
• faillock_audit
• faillock_no_log_info
• faillock_local_users_only
• faillock_nodelay
• faillock_admin_group
• cracklib_enforce_for_root
• cracklib_reject_username
• cracklib_difok
• cracklib_maxrepeat
• cracklib_maxsequence
• cracklib_maxclassrepeat
• cracklib_gecoscheck
• cracklib_dcredit
• cracklib_ucredit
• cracklib_lcredit
• cracklib_ocredit
• cracklib_minclass
• cracklib_minlen
• cracklib_retry
• oath
• oath_window
• deny
• faillock
• faillock_log_dir
• display_account_lock
• fail_interval
• manage_pwhistory_conf
• remember_debug
• remember
• remember_retry
• remember_for_root
• remember_file
• even_deny_root
• root_unlock_time
• hash_algorithm
• rounds
• uid
• unlock_time
• preserve_ac
• use_netgroups
• use_openshift
• sssd
• tty_audit_users
• separator
• enable_separator
• inactive
• cert_auth
• content

password_check_backend

Data type: Pam::PasswordBackends

Default value: $pam::password_check_backend

locale_file

Data type: Optional[Stdlib::Absolutepath]

Default value: $pam::locale_file

auth_content_pre

Data type: Optional[Array[String]]

Default value: $pam::auth_content_pre

manage_faillock_conf

Data type: Boolean

Default value: $pam::manage_faillock_conf

faillock_audit

Data type: Boolean

Default value: $pam::faillock_audit

faillock_no_log_info

Data type: Boolean

Default value: $pam::faillock_no_log_info

faillock_local_users_only

Data type: Boolean

Default value: $pam::faillock_local_users_only

faillock_nodelay

Data type: Boolean

Default value: $pam::faillock_nodelay

faillock_admin_group

Data type: Optional[String]

Default value: $pam::faillock_admin_group

cracklib_enforce_for_root

Data type: Boolean

Default value: $pam::cracklib_enforce_for_root

cracklib_reject_username

Data type: Boolean

Default value: $pam::cracklib_reject_username

cracklib_difok

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_difok

cracklib_maxrepeat

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_maxrepeat

cracklib_maxsequence

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_maxsequence

cracklib_maxclassrepeat

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_maxclassrepeat

cracklib_gecoscheck

Data type: Optional[Boolean]

Default value: $pam::cracklib_gecoscheck

cracklib_dcredit

Data type: Optional[Integer]

Default value: $pam::cracklib_dcredit

cracklib_ucredit

Data type: Optional[Integer]

Default value: $pam::cracklib_ucredit

cracklib_lcredit

Data type: Optional[Integer]

Default value: $pam::cracklib_lcredit

cracklib_ocredit

Data type: Optional[Integer]

Default value: $pam::cracklib_ocredit

cracklib_minclass

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_minclass

cracklib_minlen

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_minlen

cracklib_retry

Data type: Integer[0]

Default value: $pam::cracklib_retry

oath

Data type: Boolean

Default value: $pam::oath

oath_window

Data type: Integer[0]

Default value: $pam::oath_window

deny

Data type: Integer[0]

Default value: $pam::deny

faillock

Data type: Boolean

Default value: $pam::faillock

faillock_log_dir

Data type: Optional[Stdlib::Absolutepath]

Default value: $pam::faillock_log_dir

display_account_lock

Data type: Boolean

Default value: $pam::display_account_lock

fail_interval

Data type: Integer[0]

Default value: $pam::fail_interval

manage_pwhistory_conf

Data type: Boolean

Default value: $pam::manage_pwhistory_conf

remember_debug

Data type: Boolean

Default value: $pam::remember_debug

remember

Data type: Integer[0]

Default value: $pam::remember

remember_retry

Data type: Integer[0]

Default value: $pam::remember_retry

remember_for_root

Data type: Boolean

Default value: $pam::remember_for_root

remember_file

Data type: Stdlib::Absolutepath

Default value: $pam::remember_file

even_deny_root

Data type: Boolean

Default value: $pam::even_deny_root

root_unlock_time

Data type: Integer[0]

Default value: $pam::root_unlock_time

hash_algorithm

Data type: Pam::HashAlgorithm

Default value: $pam::hash_algorithm

rounds

Data type: Integer[0]

Default value: $pam::rounds

uid

Data type: Integer[0]

Default value: $pam::uid

unlock_time

Data type: Pam::AccountUnlockTime

Default value: $pam::unlock_time

preserve_ac

Data type: Boolean

Default value: $pam::preserve_ac

use_netgroups

Data type: Boolean

Default value: $pam::use_netgroups

use_openshift

Data type: Boolean

Default value: $pam::use_openshift

sssd

Data type: Boolean

Default value: $pam::sssd

tty_audit_users

Data type: Array[String[0]]

Default value: $pam::tty_audit_users

separator

Data type: String[0]

Default value: $pam::separator

enable_separator

Data type: Boolean

Default value: $pam::enable_separator

inactive

Data type: Optional[Integer]

Default value: $pam::inactive

cert_auth

Data type: Optional[Enum['try','require']]

Default value: $pam::cert_auth

content

Data type: Optional[String]

Default value: undef

pam::limits::rule

Be aware that order matters and the LAST item that matches in the limits.conf file will take effect.

• See also
  • limits.conf(5)

Examples

Enforce hard and soft disable on core dumps

pam::limits::rule { 'limit_core':
  domains => ['*'],
  type    => '-',
  item    => 'core',
  value   => 0,
  order   => 1
}

Only allow 2 administrators to login at once

pam::limits::rule { 'limit_admins':
  domains => ['%administrators', '%wheel'],
  type    => 'hard',
  item    => 'maxlogins',
  value   => 2,
  order   => 1
}

Parameters

The following parameters are available in the pam::limits::rule defined type:

• name
• domains
• item
• value
• type
• order

name

Data type: String

A descriptive name for your resource

domains

Data type: Array[String]

The domains to which these limits should apply

• One entry will be created per domain, in listed order
• See the <domain> section of limits.conf(5) for details

item

Data type: Pam::Limits::Item

The item to which these limits should apply

• See the <item> section of limits.conf(5) for details

value

Data type: Pam::Limits::Value

The value to apply to the item and domains

• See the <item> section of limits.conf(5) for details

type

Data type: Enum['hard','soft','-']

The type to apply to the item and domains

• See the <type> section of limits.conf(5) for details

Default value: '-'

order

Data type: Integer[0]

The order in which this rule should appear

• If you don't specify a order, the rules will be listed in alphanumeric order by name

Default value: 1000

Data types

Pam::AccountUnlockTime

Valid account unlock values

Alias of Variant[Integer[0], Enum['never']]

Pam::AuthSections

Valid PAM auth sections

Alias of

Array[Enum[
  'fingerprint',
  'system',
  'password',
  'smartcard'
]]

Pam::HashAlgorithm

Valid PAM password hash algorithms

Alias of Enum['md5', 'bigcrypt', 'sha256', 'sha512', 'blowfish']

Pam::Limits::Item

Valid PAM limits

Alias of Enum['core', 'data', 'fsize', 'memlock', 'nofile', 'rss', 'stack', 'cpu', 'nproc', 'as', 'maxlogins', 'maxsyslogins', 'priority', 'locks', 'sigpending', 'msgqueue', 'nice', 'rtprio']

Pam::Limits::Value

Valid PAM limit values

Alias of Variant[Enum['unlimited','infinity'], Integer]

Pam::PasswordBackends

Valid PAM password validation backends

Alias of Enum['cracklib', 'pwquality']

• Mon Nov 04 2024 Mike Riddle mike@sicura.us - 7.3.0

• "root_unlock_time" will no longer be included in faillock.conf if "even_deny_root" is set to false
• Added nullok back as a parameter for completeness, however, users are warned not to use it unless they fully understand the implication of having users without passwords

• Tue Oct 29 2024 Mike Riddle mike@sicura.us - 7.2.2

• Fixed pam auth files getting mangled when using cracklib as the pwbackend

• Tue Oct 22 2024 Steven Pritchard steve@sicura.us - 7.2.1

• Fix trailing whitespace in filenames and content

• Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 7.2.0

• [puppetsync] Update module dependencies to support simp-iptables 7.x

• Tue Apr 09 2024 Mike Riddle mike@sicura.us - 7.1.0

• Added the cert_auth parameter
• Added the inactive parameter

• Wed Jan 31 2024 Mike Riddle mike@sicura.us - 7.0.0

• Added functionality to control /etc/security/pwhistory.conf
• Fixed logic that would cause certain functionality to break on Amazon Linux 2022 and above

• Mon Jan 29 2024 Mike Riddle mike@sicura.us - 6.16.0

• Added functionality to control /etc/security/faillock.conf

• Wed Jan 17 2024 Richard Gardner rick@sicura.us - 6.15.1

• Updated hiera.yaml facts to support puppet 8

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 6.15.0

• [puppetsync] Add EL9 support

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.14.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 6.13.0

• Add AlmaLinux 8 support

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.12.0

• Add RockyLinux 8 support

• Tue May 30 2023 Mike Riddle mike@sicura.us - 6.11.3

• Added support for use of this module with authselect enabled

• Thu Dec 15 2022 Chris Tessmer chris.tessmer@onyxpoint.com - 6.11.2

• Accomodate 'retry =' patch with EL versions earlier than 8.4

• Tue Dec 06 2022 Kevin Harrington 3482852+ke5C2Fin@users.noreply.github.com - 6.11.2

• Add 'retry =' to /etc/security/pwquality.conf per STIG RHEL-08-020104

• Wed Apr 13 2022 Mike Riddle mike@sicura.us - 6.11.1

• Fix bug that failed when setting faillock_log_dir parameter

• Mon Mar 28 2022 Mike Riddle mike@sicura.us - 6.11.0

• Add dictcheck parameter to pwquality
• Add faillock_log_file parameter

• Sun Mar 20 2022 Trevor Vaughan trevor@sicura.us - 6.10.1

• Support Amazon Linux 2

• Thu Aug 26 2021 Kendall Moore kendall.moore@onyxpoint.com - 6.10.0

• Add pre section content for auth files
• Add extra content for su

• Wed Aug 04 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.9.1

• Silence unnecessary TTY messages

• Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.9.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Tue Jun 08 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.9.0

• Fixed
  • Added default Hiera deep merges for pam::access::users and pam::limits::rules based on user feedback

• Wed Dec 23 2020 Jeanne Greulich jeannegreulich@onyxpoint.com - 6.8.3-0

• Fixed a bug in the system-auth configuration file in which it did not skip pam_tty_audit if the login did not have a tty. This caused service logins to fail, specifically the gdm service.
• Removed support for EL6.
• Set the quiet parameter when doing pam_listfile lookups in auth.pp so that users don't end up with warnings in the logs that look like authentication failures

• Tue Aug 25 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.8.2-0

• Use the fixed simplib__auditd fact for toggling pam_tty_audit

• Wed Aug 05 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.8.1-0

• Ensure that pam_tty_audit is optional if auditing is not enabled on the system

• Wed May 27 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.8.0-0

• Add the ability to specify pam::limits::rules via Hiera

• Wed Mar 25 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.7.1-0

• Moved the pam_unix.so check before the pam_sss.so check in the password section of the auth files otherwise it returns an "authentication token manipulation" error and local passwords can not be changed.

• Fri Feb 28 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.7.0-0

• Ignore authconfig disable on EL8. Authconfig was replaced with authselect and authselect does not overwrite settings unless you select --force option.

• Tue Dec 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.7.0-0

• Add EL8 support
• Remove installation of pam_pkcs11 and fprintd-pam by default since they not actually required for basic functionality
• Update documentation for 'puppet strings'

• Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.7.0-0

• Support puppetlabs/concat 6.x.

• Thu Jun 06 2019 Steven Pritchard steven.pritchard@onypoint.com - 6.6.0-0

• Add v2 compliance_markup data

• Mon Apr 29 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.0-0

• Fix bug where the ending faillock items were not being called due to the 'sufficient' lines on pam_unix and pam_sssd.
• Add option to allow users to disable faillock if desired
• Fix bug where 'authsucc' was not set at the end of the 'auth' section for faillock (SIMP-6306)
• Update all comments for puppet strings
• Converted all templates to EPP for performance
• Fully updated the README

• Tue Apr 16 2019 Zach turtles.be.the.best@gmail.com - 6.5.0-0

• Add totp support through pam_oath

• Fri Mar 15 2019 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.4.0-0

• Added pam::access::access_file_mode parameter to allow users to manage access.conf file permissions
• Updated lower bound on stdlib to 4.22.0 to add Filemode strong type support

• Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.1-0

• Expanded the upper limit of the concat and stdlib Puppet module versions
• Updated a URL in the README.md

• Thu Oct 04 2018 Zach turtles.be.the.best@gmail.com - 6.3.0-0

• Fix 'faillock' bug in system-auth
• Update badges and contribution guide URL in README.md

• Tue Sep 11 2018 Steven Pritchard steven.pritchard@onyxpoint.com - 6.3.0-0

• Fix *_auth_content pam class parameters

• Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.3.0-0

• Update Hiera 4 to Hiera 5

• Fri Jul 20 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0-0

• Added the reading of the system locale settings during the session activation of users.

• Thu Jul 12 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0-0

• Add support for OEL and Puppet 5

• Mon Apr 30 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.1-0

• Allow users to change the password hash algorithm
• Allow users to enable/disable enforcing password policies for root
• Update compliance tests to work with inspec profiles and compliance engine enforcement.

• Mon Apr 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0

• Set the default cracklib_maxclassrepeat to 3.

• Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0

• Update upperbound on puppetlabs/concat version to < 5.0.0

• Fri Feb 09 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.2.0-0

• Update the pam::unlock_time parameter to accept 'never' as a value per the man page and in accordance with the DISA STIG

• Wed Jan 24 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0

• Replace authconfig and authconfig-tui links to a no-op script, instead of removing them. This does not break tools that use authconfig.
• Use simp_options::package_ensure, when available

• Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0

• Set the minimum UID allowed onto the system to the default defined in /etc/login.defs or 1000 if not otherwise defined

• Fri Sep 22 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.1.0-0

• Changed password checking from pam_cracklib.so to pam_pwquality.so for EL7

• Fri Sep 22 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 6.1.0-0

• Enable pam_tty_audit for sudo

• Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.4-0

• Add concat dependency to metadata.json
• Update concat dependency in build/rpm_metadata/requires

• Tue May 23 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.3-0

• Fixed docs in pam::limits::rule
• Update puppet requirement in metadata.json

• Wed Apr 05 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.2-0

• fixed puppet strings documentation in access.pp

• Mon Mar 15 2017 Nicholas Hughes nicholasmhughes@gmail.com - 6.0.1-0

  • corrected location of authconfig binaries

• Mon Feb 13 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.0-0

• When using list separator you can't have spaces between identifiers in access.conf if your separator is not a space. It then includes spaces as part of the name so we are removing spaces from the access file. Dylan also added changes that wrap the use of separator in boolean.

• Tue Jan 17 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0

• Added feature to add pam::access::manage resources from hiera

• Thu Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

• Changed the following for the SSG:
  • minimum length now set to 15

• Wed Dec 21 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.0-0

• corrected error for lookup
• Fixed comments and aligned variables to make it look pretty.
• update simplib version to include new types.
• renamed pam::access::manage to pam::access::rule
• renamed pam::limits::add to pam::limits::rule
• Added strong types and updated Global catalists.
• Removed NSCD logic.

• Wed Nov 30 2016 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0

• Added a generic content option to replace all templated PAM configurations
  • Setting use_templates to false will enable them

• Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0

• update requirement versions

• Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0

• Updated to compliance_markup version 2

• Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Thu Aug 25 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.5-0

• Update to pam_pwhistory.so to fix local user login failures due to SELinux policy updates affecting /etc/security/opasswd in EL7.

• Mon Aug 15 2016 Nick Miller nick.miller@onyxpoint.com - 4.2.4-0

• Reverted STIG password policy compliance changes

• Fri Aug 05 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.3-0

• Updated system-auth values to be STIG compliant.

• Thu Jul 07 2016 Liz Nemsick elizabeth.nemsick@uscontracting.us - 4.2.2-0

• Added use of pam_tty_audit in system-auth, password-auth, and fingerprint-auth.
• Updated module to use new rake helper to auto-generate RPM .spec file.
• Fixed bug related to pam::display_account_lock.

• Wed Mar 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0

• Move pam_oddjob_mkhomedir below pam_sssd in the stack due to a odd SELinux-related bug which prevented users from logging into systems via SSH.

• Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-0

• Ensure that EL6.7+ uses SSSD over NSCD

• Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-14

• Added compliance function support

• Wed Nov 18 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13

• Updated to enable SSSD properly now that most of the major items have been resolved upstream.

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-13

• Migration to simplib and simpcat (lib/ only)

• Tue Oct 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12

• Removed all calls to the lsb facts and replaced them with 'operatingsystem' facts

• Fri Sep 18 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11

• Moved pam_mkhomedir to before pam_systemd to fix issues with systemd subsystem failures occuring due to a lack of a home directory.

• Sat May 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

• Slight update to more closely align with the STIG.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

• Changed puppet-server requirement to puppet

• Thu Oct 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

• Updated the mode on limits.conf and access.conf to be non-executable.
• Changed the mode on access.conf to be world readable so that the RHEL7 screensaver can unlock properly.

• Wed Oct 01 2014 Trevor Vaughan tvaughan@onxypoint.com - 4.1.0-7

• Added options to the auth configs in PAM to ensure that GDM works properly in RHEL7.

• Thu Sep 04 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 4.1.0-6

• Added optional pam_systemd module to access template. This will only work if present on the system and is required for CentOS/RHEL 7

• Fri Jul 25 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5

• Added oddjob support for creating home directories for setting correct SELinux contexts on created home directories. See: https://bugzilla.redhat.com/show_bug.cgi?id=447096#c3

• Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

• Removed MD5 file checksums for FIPS compliance.

• Thu Apr 10 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Added full support for access.conf and removed groupaccess.conf since it is no longer required. pam::access::manage should now be used instead of pam::groupaccess::modify.
• Renamed pam::access_conf and pam::limits_conf to pam::access and pam::limits respectively.
• Moved pam::limits::add_limit to pam::limits::add

• Mon Feb 10 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Updates to fully support OpenShift.
• Added OpenSCAP support.

• Tue Jan 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

• Added proper support to the wheel class for OpenShift support so that it does not conflict with the base classes from openshift_origin.

• Tue Oct 22 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0

• Converted groupaccess over to using simp_file_line instead of concat.
• Cleaned up the PAM settings quite a bit and now using a single template for all -auth files in /etc/pam.d.
• pam_faillock no longer causes spurious failed logins with sudo.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-7

• Updated all erb templates to properly scope variables.
• Added variables to init.pp to make templates more configurable.

• Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6

• Use 'versioncmp' for all version comparisons.

• Mon Feb 25 2013 Maintenance - 4.0-5

• Added a call to $::rsync_timeout to the rsync call since it is now required.

• Tue Jul 24 2012 Maintenance - 4.0.0-4

• Added maxclassrepeat=3 and gecoscheck to the cracklib line.
• Removed the *credit items from the cracklib line. We have minclass=3 which is good enough and having the rest in there was confusing.

• Wed Jun 13 2012 Maintenance - 4.0.0-3

• Fixed a bug where the other *-auth files in pam.d were not updated to handle faillock properly.

• Wed May 16 2012 Maintenance - 4.0.0-2

• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance - 4.0.0-1

• Improved test stubs.

• Fri Feb 10 2012 Maintenance - 4.0.0-0

• Updated the PAM template to handle faillog as the new default in RHEL6.
• Added tests for verifying that a user account lockout happens after 5 tries, can be unlocked, and functions properly after that.

• Tue Dec 20 2011 Maintenance - 2.0.0-5

• Updated the spec file to not require a separate file list.
• Added a line to allow the local 'wheel' group to get to su and bypass checking the alternately set group. This allows the alternate group to be in LDAP and the local group to be able to su when LDAP is down or an emergency user is local.

• Thu Oct 27 2011 Maintenance - 2.0.0-4

• Added the new 'auth' portions of pam.d and removed everything except for 'other' from the rsync segment of pam.d.

• Mon Oct 10 2011 Maintenance - 2.0.0-3

• Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
• Updated to work around the issue where SSSD can't update shadow fields in LDAP.

• Tue Jun 07 2011 Maintenance - 2.0.0-2

• Rearranged items in system-auth so that fewer erroneous errors would be thrown on login. You'll still get them if logging in as a local user. Red Hat is aware of the issue.
• Fixed this module for the case where $use_sssd does not exist.
• Default password length is now 14
• Removed nullok to prevent all blank password usage
• Added support for wheel in 'su' via pam::wheel
• Set pam_lastlog

• Tue Apr 05 2011 Maintenance - 2.0.0-1

• Added support to system-auth for SSSD.
• Updated to use rsync native type
• Updated system-auth to enforce a stronger default password set.
• This needs to be templated but not for 2.0.0-Beta.
• Updated to use concat_build and concat_fragment types

• Tue Jan 11 2011 Maintenance - 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Mon Jan 10 2011 Maintenance - 1.0-4

• Updated the PAM configuration to fix an issue where pam_unix.so was set to default=ignore. This is definitely not what you want.

• Thu Nov 04 2010 Maintenance - 1.0-3

• pam_tally2 still wasn't properly taking effect. Should be corrected.
• This update adds the ability to modify the delay after a failed login via PAM. FAIL_DELAY by itself doesn't do anything without the addition of pam_faildelay.so this item was added to the default PAM config.

• Tue Oct 26 2010 Maintenance - 1.0-2

• Converting all spec files to check for directories prior to copy.

• Tue Aug 10 2010 Maintenance - 1.0-1

• Rearranged the pam_tally2 items in system-auth.erb to ensure that account lockouts are taking effect properly.

• Fri Jun 04 2010 Maintenance - 1.0-0

• Modified the system-auth.erb file to:
  • Get rid of session messages in /var/log/secure when cron runs.
  • Ensure that cron can run without having a user in the groupaccess.conf file.
  • Skip pam_ldap if pam_unix succeeds.
• Code refactor and update
• Added 'Tidy' statements to match the rest of the multi-build patterns.
• Fixed a problem with pam_succeed_if.so uid=0 causing auid to be set to -1. Changed to user = root.
• Changed the pam_mkhomedir call to be 'optional' instead of 'required'. This allows users to login even if their home directory can't be created.

• Fri Feb 05 2010 Maintenance - 0.1-10

• Fixed some incorrect settings with pam_cracklib.so and added in some new checking functionality for repeated characters and username matching.
• Removed the necessity of the rootaccess file. This does mean that root can su to any user but completely prevents root lockouts.