Merge pull request #2 from mrichar1/pam-config

pam-config file creation.

pam/files/pam-config.jinja

@@ -0,0 +1,54 @@
+Name: {{ config.get('name', file_name) }}
+Default: {{ config.get('default', 'no') }}
+Priority: {{ config.get('priority', '256') }}
+{%- if 'conflicts' in config %}
+Conflicts: {{ config.conflicts }}
+{%- endif %}
+
+{%- if 'auth_type' in config %}
+Auth-Type: {{ config.auth_type }}
+{%- endif %}
+{%- if 'auth' in config %}
+Auth:
+        {{ config.auth }}
+{%- endif %}
+{%- if 'auth_initial' in config %}
+Auth-Initial:
+        {{ config.auth_initial }}
+{%- endif %}
+
+{%- if 'account_type' in config %}
+Account-Type: {{ config.account_type }}
+{%- endif %}
+{%- if 'account' in config %}
+Account:
+        {{ config.account }}
+{%- endif %}
+{%- if 'account_initial' in config %}
+Account-Initial:
+        {{ config.account_initial }}
+{%- endif %}
+
+{%- if 'session_type' in config %}
+Session-Type: {{ config.session_type }}
+{%- endif %}
+{%- if 'session' in config %}
+Session:
+        {{ config.session }}
+{%- endif %}
+{%- if 'session_initial' in config %}
+Session-Initial:
+        {{ config.session_initial }}
+{%- endif %}
+
+{%- if 'password_type' in config %}
+Password-Type: {{ config.password_type }}
+{%- endif %}
+{%- if 'password' in config %}
+Password:
+        {{ config.password }}
+{%- endif %}
+{%- if 'password_initial' in config %}
+Password-Initial:
+        {{ config.password_initial }}
+{%- endif %}

pam/map.jinja

@@ -6,12 +6,14 @@
         'mkhomedir_pkg': 'libpam-mkhomedir',
         'mkhomedir_config': '/usr/share/pam-configs/mkhomedir',
         'ccreds_pkg': 'libpam-ccreds',
+        'pam_config': {},
     },
     'Debian': {
         'ldap_pkg': 'libpam-ldapd',
         'ldap_config': '/etc/ldap.conf',
         'mkhomedir_pkg': 'libpam-ccreds',
         'mkhomedir_config': '/usr/share/pam-configs/mkhomedir',
         'ccreds_pkg': 'libpam-ccreds',
+        'pam_config': {},
     },
-}, merge=salt['pillar.get']('pam:lookup')) %}
+}, merge=salt['pillar.get']('pam:lookup')) %}

pam/update.sls

@@ -6,5 +6,16 @@ pam-auth-update:
     - name: DEBIAN_FRONTEND=noninteractive pam-auth-update --force
 {% endif %}
 
-#TODO: pam-config
-#TODO: authconfig
+{% for file_name, config in pam['pam_config'].items() %}
+/usr/share/pam-configs/{{ file_name }}:
+  file.managed:
+    - source: salt://pam/files/pam-config.jinja
+    - template: jinja
+    - watch_in:
+      - cmd: pam-auth-update
+    - defaults:
+      config: {{ config }}
+      file_name: {{ file_name }}
+{% endfor %}
+
+#TODO: authconfig

pillar.example

@@ -16,3 +16,16 @@ pam:
     tls_checkpeer: 'yes'
     tls_cacertfile: /etc/ssl/ca.cert
     tls_cacertdir: /etc/ssl/certs
+
+  pam_config:
+    access:
+      # defaults to above key if unset
+      name: PAM Access Module
+      # defaults to "no" if unset
+      default: "yes"
+      conflicts: cracklib
+      # Defaults to 256 if unset
+      priority: 0
+      # x, x_type and x_initial. x can be: auth, account, session, password
+      account_type: Additional
+      account: "required pam_access.so"