diff options
author | Michael Scherer <misc@mageia.org> | 2010-11-24 02:50:45 +0000 |
---|---|---|
committer | Michael Scherer <misc@mageia.org> | 2010-11-24 02:50:45 +0000 |
commit | ae6ba130344466d36dac9988bb9bcbbd0256fb80 (patch) | |
tree | 155aae58ebce91964f9a02c6a2f8841b049289ec | |
parent | ec4823b29d7792c9ca96d6e1a76bb43a111dfaac (diff) | |
download | puppet-ae6ba130344466d36dac9988bb9bcbbd0256fb80.tar puppet-ae6ba130344466d36dac9988bb9bcbbd0256fb80.tar.gz puppet-ae6ba130344466d36dac9988bb9bcbbd0256fb80.tar.bz2 puppet-ae6ba130344466d36dac9988bb9bcbbd0256fb80.tar.xz puppet-ae6ba130344466d36dac9988bb9bcbbd0256fb80.zip |
restrict login to people of the group mga-commiters ( previous try was
not working with ssh key )
-rw-r--r-- | modules/pam/manifests/init.pp | 10 | ||||
-rw-r--r-- | modules/pam/templates/system-auth | 12 |
2 files changed, 13 insertions, 9 deletions
diff --git a/modules/pam/manifests/init.pp b/modules/pam/manifests/init.pp index 63e8b12f..e6e37bb8 100644 --- a/modules/pam/manifests/init.pp +++ b/modules/pam/manifests/init.pp @@ -43,14 +43,17 @@ class pam { content => template("pam/ldap.conf") } } - + + # beware , this two classes are exclusive + # for server where only admins can connect - class admin_access inherits base { + class admin_access { $access_class = "admin" + include base } # for server where people can connect with ssh ( git, svn ) - class committers_access inherits base { + class committers_access { # this is required, as we force the shell to be the restricted one # openssh will detect if the file do not exist and while refuse to log the # user, and erase the password ( see pam_auth.c in openssh code, seek badpw ) @@ -58,5 +61,6 @@ class pam { # permission to use svn, git, etc must be added separatly include restrictshell::shell $access_class = "committers" + include base } } diff --git a/modules/pam/templates/system-auth b/modules/pam/templates/system-auth index 7dc3a47f..79c95264 100644 --- a/modules/pam/templates/system-auth +++ b/modules/pam/templates/system-auth @@ -1,10 +1,4 @@ auth required pam_env.so -<%- if access_class = 'admin' -%> -auth required pam_succeed_if.so quiet user ingroup mga-sysadmin -<%- end -%> -<%- if access_class = 'committers' -%> -auth required pam_succeed_if.so quiet user ingroup mga-committers -<%- end -%> # this part is here if the module don't exist # basically, the idea is to copy the exact detail of sufficient, # and add abort=ignore @@ -15,6 +9,12 @@ auth required pam_deny.so account sufficient pam_localuser.so +<%- if access_class == 'admin' -%> +account required pam_succeed_if.so quiet user ingroup mga-sysadmin +<%- end -%> +<%- if access_class == 'committers' -%> +account required pam_succeed_if.so quiet user ingroup mga-committers +<%- end -%> account sufficient pam_ldap.so account required pam_deny.so |