[Feature] - Ability to add options for pam_access lines added

ghoneycutt / puppet-module-pam

Puppet module to manage PAM

Other

18 stars 79 forks source link

[Feature] - Ability to add options for pam_access lines added #156

Closed benkevan closed 7 years ago

benkevan commented 7 years ago

Allow the ability to add specific options to the added pam_access.so lines.

Specifically for me listsep= (since I utilize AD and need to assign to groups with spaces).

ghoneycutt commented 7 years ago

Hi @benkevan

I'm happy to work with you on a pull request to add that functionality.

benkevan commented 7 years ago

@ghoneycutt this would be quite the undertaking.

For example, if someone wanted to use listsep=, (to allow spaces in /etc/security/access.conf) one would have to then remove all spaces within the default/template access.conf file (which is default).

I'll try to work on this as I have time, however, for now, I just updated the template downstream on my deployment to not have any spaces, and the pam_access lines to include pam_access.so

ghoneycutt commented 7 years ago

You can specify your own array of lines for each of the configs. Check out the options in the README around https://github.com/ghoneycutt/puppet-module-pam#pam_sshd_auth_lines

Will that work for you?

benkevan commented 7 years ago

@ghoneycutt I'm applying my own lines via an array within my hiera data. This functions fine.

The issue revolves around the default spacing within access.conf [1]. As you can see there are spaces before and after the : (colon). When using some options ( i.e., listsep=, ) the spaces would have to be removed and the line would have to be "+:<%= key %>:ALL" without the spaces. I think the efforts to get this done may have very little benefit and would cause some over complication of the spec fixture testeing to ensure pam isn't crippled system wide.

[1] https://github.com/ghoneycutt/puppet-module-pam/blob/master/templates/access.conf.erb#L16

benkevan commented 7 years ago

@ghoneycutt

To answer your question, yes that would work for allowing the custom lines within the sshd pam file, the issue I guess really resides within the outcome of the access.conf which is dependent on the input into sshd pam file.

I think this can be closed since the original request was really to utilize options within pam_access which, as you state, is supported through the use of the sshd.custom.erb template.

ghoneycutt commented 7 years ago

Glad you were able to find a simple solution.