Closed btoohey closed 8 years ago
Is the line created in /etc/pam.conf
or in a /etc/pam.d/*
file?
Line created in /etc/pam.d/password-auth-ac (RHEL 6)
Since you want to manage two resources with the same service
, module
and control
values, control
needs to be considered as a parameter (not a property). Try with:
pam { 'faillock_1' :
ensure => present,
service => 'password-auth',
type => 'auth',
control => 'required',
control_is_param => true,
module => 'pam_faillock.so',
arguments => ['preauth', 'audit', 'silent', 'deny=5', 'unlock_time=900'],
position => 'before *[type="auth" and module="pam_deny.so"]',
} ->
pam { 'faillock_2' :
ensure => present,
service => 'password-auth',
type => 'auth',
control => 'sufficient',
control_is_param => true,
module => 'pam_faillock.so',
arguments => ['authfail', 'audit', 'deny=5', 'unlock_time=900'],
position => 'before *[type="auth" and module="pam_deny.so"]',
}
As a note, the resource ordering (using ->
) will ensure the right positioning of the entries if they don't exist, but if faillock_2
already exists, faillock_1
will be added after it.
Thank you. That corrected the overwriting issue. I am a bit stumped though on how to accomplish the ordering. As you mention, faillock_1 gets added after faillock_2.
What I want to do is add these four lines:
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
in this order just above the following line:
auth required pam_deny.so
You can order them relatively to one another.
Thank you. I was able to find a relative ordering scheme using position that works. I didn't think I was going to be able use position in relation to a entry that is created in the same module.
Can we close that issue then?
This can be closed. Thank you.
Using the following code
Produces the following puppet notices:
And the faillock_2 resource overwrites the faillock_1 resource when they really should create two lines in password-auth:
What I would expect to see is: