pam.pp 1.12 KB
Newer Older
Adam Lewenberg's avatar
Adam Lewenberg committed
1
2
3
4
5
6
# Install /etc/pam.d/sshd.

# If $pam_duo is set to true, use a pam stack that requires Duo for
# regular logins.
#
# Currently, only Debian is supported when $pam_duo is true.
7
8
9
#
# If you are using the SLURM job scheduler, setting $pam_slurm to true will
# cause user logins to be rejected unless they have a valid job allocation.
10
11
12
# In that case, you can set $pam_slurm_bypass to an absolute path, where all
# users listed in the file (one username per line) will not be checked.  This
# is good so that admin users can continue to log in.
Adam Lewenberg's avatar
Adam Lewenberg committed
13
14

class ssh::pam (
15
16
17
18
  $pam_afs          = true,
  $pam_duo          = false,
  $pam_slurm        = false,
  $pam_slurm_bypass = 'NONE',
Adam Lewenberg's avatar
Adam Lewenberg committed
19
20
21
22
23
24
25
26
27
28
29
30
){

  # Configure PAM for sshd on RHEL 6.
  if ($::lsbdistcodename == 'santiago') {
    file { '/etc/pam.d/sshd':
      ensure => link,
      target => '/etc/pam.d/system-auth',
    }
  } elsif ($pam_duo) {
    if ($::osfamily =~ /Debian/) {
      file {'/etc/pam.d/sshd':
        ensure => present,
31
        content => template('base/ssh/etc/pam.d/sshd.erb'),
Adam Lewenberg's avatar
Adam Lewenberg committed
32
33
34
35
36
37
      }
    } else {
      fail("cannot call ssh::pam with pam_duo true under OS '$::osfamily'")
    }
  }
}