Revision
451
Author
misc
Date
2010-11-24 03:50:45 +0100 (Wed, 24 Nov 2010)

Log Message

restrict login to people of the group mga-commiters ( previous try was
not working with ssh key )

Modified Paths

Modified: puppet/modules/pam/manifests/init.pp
===================================================================
--- puppet/modules/pam/manifests/init.pp	2010-11-24 02:08:32 UTC (rev 450)
+++ puppet/modules/pam/manifests/init.pp	2010-11-24 02:50:45 UTC (rev 451)
@@ -43,14 +43,17 @@
          content => template("pam/ldap.conf")
       }
   } 
-  
+ 
+  # beware , this two classes are exclusive
+ 
   # for server where only admins can connect
-  class admin_access inherits base {
+  class admin_access {
     $access_class = "admin"
+    include base
   }
 
   # for server where people can connect with ssh ( git, svn )
-  class committers_access inherits base {
+  class committers_access {
     # this is required, as we force the shell to be the restricted one
     # openssh will detect if the file do not exist and while refuse to log the
     # user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
@@ -58,5 +61,6 @@
     # permission to use svn, git, etc must be added separatly
     include restrictshell::shell
     $access_class = "committers"
+    include base
   }
 }

Modified: puppet/modules/pam/templates/system-auth
===================================================================
--- puppet/modules/pam/templates/system-auth	2010-11-24 02:08:32 UTC (rev 450)
+++ puppet/modules/pam/templates/system-auth	2010-11-24 02:50:45 UTC (rev 451)
@@ -1,10 +1,4 @@
 auth    required     pam_env.so
-<%- if access_class = 'admin' -%>
-auth    required     pam_succeed_if.so quiet user ingroup mga-sysadmin
-<%- end -%>
-<%- if access_class = 'committers' -%>
-auth    required     pam_succeed_if.so quiet user ingroup mga-committers
-<%- end -%>
 # this part is here if the module don't exist
 # basically, the idea is to copy the exact detail of sufficient,
 # and add abort=ignore
@@ -15,6 +9,12 @@
 
 
 account sufficient  pam_localuser.so
+<%- if access_class == 'admin' -%>
+account required    pam_succeed_if.so quiet user ingroup mga-sysadmin
+<%- end -%>
+<%- if access_class == 'committers' -%>
+account required    pam_succeed_if.so quiet user ingroup mga-committers
+<%- end -%>
 account sufficient  pam_ldap.so
 account required    pam_deny.so