By default users are not restricted per ssh.

[fbarbeira]

If I specify data in hiera like this:

pam::allowed_users:
  'root':
    - 'crond'
    - 'tty1'
    - 'tty2'
    - 'tty3'
    - 'tty4'
    - 'tty5'
    - 'tty6'
    - '127.0.0.1'
    - '192.168.0.'

In debian8 and ubuntu16 this policy are not applied, because the module "pam_access.so" is not loaded in the sshd template. It is only applied in: el5, el6, el7 and suse11. If I do a recursive grep through templates, only in a few operating systems are applied, why not in debian or ubuntu?

fbarbeira@:~modules/pam/templates(master)$ rgrep pam_access.so *
login.el5.erb:account    <%= @login_pam_access %>     pam_access.so
login.el6.erb:account    <%= @login_pam_access %>     pam_access.so
login.el7.erb:account    <%= @login_pam_access %>     pam_access.so
login.suse11.erb:account   <%= @login_pam_access %>       pam_access.so
sshd.el5.erb:account    <%= @sshd_pam_access %>     pam_access.so
sshd.el6.erb:account    <%= @sshd_pam_access %>     pam_access.so
sshd.el7.erb:account    <%= @sshd_pam_access %>     pam_access.so
sshd.suse11.erb:account   <%= @sshd_pam_access %>       pam_access.so
fbarbeira@:~modules/pam/templates(master)$

I think that the snippet to add is the following to the sshd templates:

<% if @sshd_pam_access != 'absent' -%>
account    <%= @sshd_pam_access %>     pam_access.so
<% end -%>

[ghoneycutt]

Effort was taken to ensure that the default values for the pam module reflect that of a very basic, vanilla install of each platform. Guessing that the Debian and Ubuntu platforms did not have that by default.

I think it would be a good idea to add these though would want confirmation from someone using these platforms as I do not actually use them. Could you please send pull requests for platforms that you use?

[fbarbeira]

PR #158

[fbarbeira]

Released in v2.33.0