Closed GerbenWelter closed 7 years ago
I'm kinda of torn on this. Pam access seems to have nothing to do with sssd, so I kinda think it should be in a separate module. See this module, which does exactly this: https://forge.puppet.com/MiamiOH/pam_access
I figured authconfig could do everything in one go but I see your point . The pam_access module you mentioned doesn't quite fit our needs so I have added the pam_access stuff to our custom access module.
Can you help me understand how the pam_access module doesn't fit your needs? The init class only runs the authconfig exec, I believe. We can make a PR to turn off anything you don't need...
The module has no option for specifying the order of the entries. We use a template that sorts the rules based on a priority.
The documentation and examples are not clear about the order. I will file an issue to get the doc updated.
You can specify the order. The entries are inserted, with augeas, in the order that puppet runs them. You can choose if they are inserted above or below the previous entry with the position: https://github.com/MiamiOH/puppet-pam_access/blob/master/manifests/entry.pp#L53
So it is as simple as using puppet ordering with require/before etc... In the example below you are guaranteed to get them in order. user1, user2, root
pam_access::entry { 'user1':
permission => '+',
user => 'user1',
origin => 'ALL',
position => 'after',
}
pam_access::entry { 'user2':
permission => '+',
user => 'user2',
origin => 'ALL',
position => 'after',
require => Pam_access::Entry['user1'],
}
pam_access::entry { 'root':
permission => '-',
user => 'root',
origin => 'ALL',
position => 'after',
require => Pam_access::Entry['user2'],
}
The default for position is before, if the permission is + and after, if the permission is -. Since the deny is usually - and last, it typically works out even if you do not specify any requires or position. It will insert every - last and every + on top. However, you can be as specific as you like about the ordering.
You can also used the Puppet Approved PAM module - https://forge.puppet.com/ghoneycutt/pam
You can configure the access.conf using a simple array, or a hash if you want to specify the location instead of the default ALL.
https://forge.puppet.com/ghoneycutt/pam#hiera-example-for-allowed_users
This is a rebase of #34 which also fixes the travis builds