community.general.pamd – Manage PAM Modules
Note
This plugin is part of the community.general collection (version 3.8.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.pamd
.
Synopsis
Edit PAM service’s type, control, module path and module arguments.
In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.
Parameters
Parameter |
Comments |
---|---|
Create a backup file including the timestamp information so you can get the original file back if you somehow clobbered it incorrectly. Choices:
|
|
The control of the PAM rule being modified. This may be a complicated control with brackets. If this is the case, be sure to put “[bracketed controls]” in quotes. The |
|
When state is When state is When state is Furthermore, if the module argument takes a value denoted by |
|
The module path of the PAM rule being modified. The |
|
The name generally refers to the PAM service file to change, for example system-auth. |
|
The new control to assign to the new rule. |
|
The new module path to be assigned to the new rule. |
|
The new type to assign to the new rule. Choices:
|
|
This is the path to the PAM service files. Default: “/etc/pam.d” |
|
The default of With Similarly, with With either If state is State Choices:
|
|
The type of the PAM rule being modified. The Choices:
|
Examples
- name: Update pamd rule's control in /etc/pam.d/system-auth
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_control: sufficient
- name: Update pamd rule's complex control in /etc/pam.d/system-auth
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
new_control: '[success=2 default=ignore]'
- name: Insert a new rule before an existing rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_type: auth
new_control: sufficient
new_module_path: pam_faillock.so
state: before
- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an \
existing rule pam_rootok.so
community.general.pamd:
name: su
type: auth
control: sufficient
module_path: pam_rootok.so
new_type: auth
new_control: required
new_module_path: pam_wheel.so
module_arguments: 'use_uid'
state: after
- name: Remove module arguments from an existing rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: ''
state: updated
- name: Replace all module arguments in an existing rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'preauth
silent
deny=3
unlock_time=604800
fail_interval=900'
state: updated
- name: Remove specific arguments from a rule
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_absent
- name: Ensure specific arguments are present in a rule
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_present
- name: Ensure specific arguments are present in a rule (alternative)
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments:
- crond
- quiet
state: args_present
- name: Module arguments requiring commas must be listed as a Yaml list
community.general.pamd:
name: special-module
type: account
control: required
module_path: pam_access.so
module_arguments:
- listsep=,
state: args_present
- name: Update specific argument value in a rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'fail_interval=300'
state: args_present
- name: Add pam common-auth rule for duo
community.general.pamd:
name: common-auth
new_type: auth
new_control: '[success=1 default=ignore]'
new_module_path: '/lib64/security/pam_duo.so'
state: after
type: auth
module_path: pam_sss.so
control: 'requisite'
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
That action that was taken and is one of: update_rule, insert_before_rule, insert_after_rule, args_present, args_absent, absent. This was available in Ansible 2.4 and removed in Ansible 2.8 Returned: always Sample: “update_rule” |
|
The file name of the backup file, if created. Returned: success |
|
How many rules were changed. Returned: success Sample: 1 |
|
Path to pam.d service that was changed. This is only available in Ansible 2.3 and was removed in Ansible 2.4. Returned: success Sample: “/etc/pam.d/system-auth” |
|
The changes to the rule. This was available in Ansible 2.4 and Ansible 2.5. It was removed in Ansible 2.6. Returned: success Sample: “None None None sha512 shadow try_first_pass use_authtok” |
|
The rule(s) that was/were changed. This is only available in Ansible 2.4 and was removed in Ansible 2.5. Returned: success Sample: [“password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok”] |
Authors
Kenneth D. Evensen (@kevensen)