community.general.pamd module – Manage PAM Modules

Note

This module is part of the community.general collection (version 10.7.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.pamd.

Synopsis

  • Edit PAM service’s type, control, module path and module arguments.

  • In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.

Parameters

Parameter

Comments

backup

boolean

Create a backup file including the timestamp information so you can get the original file back if you somehow clobbered it incorrectly.

Choices:

  • false ← (default)

  • true

control

string / required

The control of the PAM rule being modified.

This may be a complicated control with brackets. If this is the case, be sure to put “[bracketed controls]” in quotes.

The type, control, and module_path options all must match a rule to be modified.

module_arguments

list / elements=string

When state=updated, the module_arguments replace existing module_arguments.

When state=args_absent args matching those listed in module_arguments are removed.

When state=args_present any args listed in module_arguments are added if missing from the existing rule.

Furthermore, if the module argument takes a value denoted by =, the value changes to that specified in module_arguments.

module_path

string / required

The module path of the PAM rule being modified.

The type, control, and module_path options all must match a rule to be modified.

name

string / required

The name generally refers to the PAM service file to change, for example system-auth.

new_control

string

The new control to assign to the new rule.

new_module_path

string

The new module path to be assigned to the new rule.

new_type

string

The new type to assign to the new rule.

Choices:

  • "account"

  • "-account"

  • "auth"

  • "-auth"

  • "password"

  • "-password"

  • "session"

  • "-session"

path

path

This is the path to the PAM service files.

Default: "/etc/pam.d"

state

string

The default of updated modifies an existing rule if type, control and module_path all match an existing rule.

With before, the new rule is inserted before a rule matching type, control and module_path.

Similarly, with after, the new rule is inserted after an existing rulematching type, control and module_path.

With either before or after new_type, new_control, and new_module_path must all be specified.

If state is args_absent or args_present, new_type, new_control, and new_module_path are ignored.

State absent removes the rule.

Choices:

  • "absent"

  • "before"

  • "after"

  • "args_absent"

  • "args_present"

  • "updated" ← (default)

type

string / required

The type of the PAM rule being modified.

The type, control, and module_path options all must match a rule to be modified.

Choices:

  • "account"

  • "-account"

  • "auth"

  • "-auth"

  • "password"

  • "-password"

  • "session"

  • "-session"

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Notes

Note

  • This module does not handle authselect profiles.

Examples

- name: Update pamd rule's control in /etc/pam.d/system-auth
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    new_control: sufficient

- name: Update pamd rule's complex control in /etc/pam.d/system-auth
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    new_control: '[success=2 default=ignore]'

- name: Insert a new rule before an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    new_type: auth
    new_control: sufficient
    new_module_path: pam_faillock.so
    state: before

- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an existing rule pam_rootok.so
  community.general.pamd:
    name: su
    type: auth
    control: sufficient
    module_path: pam_rootok.so
    new_type: auth
    new_control: required
    new_module_path: pam_wheel.so
    module_arguments: 'use_uid'
    state: after

- name: Remove module arguments from an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: ''
    state: updated

- name: Replace all module arguments in an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: 'preauth silent deny=3 unlock_time=604800 fail_interval=900'
    state: updated

- name: Remove specific arguments from a rule
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments: crond,quiet
    state: args_absent

- name: Ensure specific arguments are present in a rule
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments: crond,quiet
    state: args_present

- name: Ensure specific arguments are present in a rule (alternative)
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments:
      - crond
      - quiet
    state: args_present

- name: Module arguments requiring commas must be listed as a Yaml list
  community.general.pamd:
    name: special-module
    type: account
    control: required
    module_path: pam_access.so
    module_arguments:
      - listsep=,
    state: args_present

- name: Update specific argument value in a rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: 'fail_interval=300'
    state: args_present

- name: Add pam common-auth rule for duo
  community.general.pamd:
    name: common-auth
    new_type: auth
    new_control: '[success=1 default=ignore]'
    new_module_path: '/lib64/security/pam_duo.so'
    state: after
    type: auth
    module_path: pam_sss.so
    control: 'requisite'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

backupdest

string

The file name of the backup file, if created.

Returned: success

change_count

integer

How many rules were changed.

Returned: success

Sample: 1

Authors

  • Kenneth D. Evensen (@kevensen)