UsePAM value always yes

[TheP3di]

Hello, im new in puppet and have following problem: UsePAM is always "yes",doesn't matter what i give. Any idea why or how i can find out? Thank you :-)

OS: Debian 11 64-bit Puppet-Version: 7.23.0 OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022

server.pp:

[...]
Optional[Ssh::Yes_no] $use_dns = undef
Optional[Ssh::Yes_no] $use_pam = no,
Optional[String[1]] $version_addendum = undef,
[...]

sshd_config.erb:

[...]
<% if @use_dns != nil -%>
UseDNS <%= @use_dns %>
<% end -%>
**<% if @use_pam != nil -%>
UsePAM <%= @use_pam %>
<% end -%>**
<% if @version_addendum != nil -%>
VersionAddendum <%= @version_addendum %>
<% end -%>
[...]

sshd_config:

# This file is being maintained by Puppet.**
# DO NOT EDIT
#
# See https://man.openbsd.org/sshd_config for more info

AcceptEnv LANG
AcceptEnv LC_*
AllowGroups logingroupmain
ChallengeResponseAuthentication no
Include /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication no
LoginGraceTime 60
MaxAuthTries 5
MaxSessions 10
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
Port 101
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
X11Forwarding yes`

site.pp:

`node 'puppet-learning' {
include ssh
include apache
}

Puppetfile:

forge 'https://forge.puppet.com'
mod 'puppetlabs-stdlib', '8.5.0'
mod 'puppetlabs-concat', '7.3.3'
mod 'ghoneycutt-ssh', '4.0.0'
mod 'puppetlabs-sshkeys_core', '2.4.0'

[Phil-Friderici]

Hej @TheP3di,

the default values for dfifferent OS families are set in the files in ./data/os/, for Debian 11 in ./data/os/Debian/11.yaml. Here you will find that the default for UsePAM is configured to be yes.

You need to override this default value in your node classification or alike.

[ghoneycutt]

As @Phil-Friderici mentioned, you need to specify the data in hiera or how you call the ssh class if you want to specify different data.