I''m trying to change the password complexity requirements in pam.d/system-auth using augeas. I can append the values (lcredit=-1, ucredit=-1, etc) onto the correct place, but if another value is already present (i.e. lcredit=-2), the onlyif match statement doesn''t seem to support checking regular expressions inside of strings. How do I check that any numeric value exists in the argument?? define passwordcomplexity($lowercase = "1", $uppercase = "1", $numeric = "1", $special = "1") { augeas { "add_lowercase_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] lcredit=-$lowercase", onlyif => "match system-auth/*[argument=''lcredit=*''] size == 0", } augeas { "add_uppercase_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] ucredit=-$uppercase", onlyif => "match system-auth/*[argument=''ucredit=*''] size == 0", } augeas { "add_numeric_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] dcredit=-$numeric", onlyif => "match system-auth/*[argument=''dcredit=*''] size == 0", } augeas { "add_special_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] ocredit=-$special", onlyif => "match system-auth/*[argument=''ocredit=*''] size == 0", } } This will continuously append lcredit=-2, etc onto the end of the line, without checking the values that currently exist: ---------------------------------------------------- password requisite pam_cracklib.so try_first_pass retry=3 maxrepeat=3 lcredit=-2 ocredit=-2 dcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 lcredit=-2 ucredit=-2 ----------------------------------------------------- ~Ed -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
So based on a posting from last year, I changed the definition to just remove and rebuild the line in pam.d/system-auth based on the variables passed in. Although this isn''t the elegant solution that I was searching for (breaking it up to different functions and using "onlyif"), it does get the job done. Here is what I''ve got: define passwordcomplexity($retry = "3", $lowercase = "1", $uppercase = "1", $numeric = "1", $special = "1", $maxrepeats = "3") { augeas { "rebuild_passwordcomplex_reqs" : context => "/files/etc/pam.d", changes => ["rm system-auth/ *[module=''pam_cracklib.so''][type=''password'']/argument", "set system-auth/ *[module=''pam_cracklib.so'']/argument[last()+1] try_first_pass", "set system-auth/ *[module=''pam_cracklib.so'']/argument[last()+1] retry=$retry", "set system-auth/ *[module=''pam_cracklib.so'']/argument[last()+1] maxrepeats$maxrepeats", "set system-auth/ *[module=''pam_cracklib.so'']/argument[last()+1] lcredit=-$lowercase", "set system-auth/ *[module=''pam_cracklib.so'']/argument[last()+1] ucredit=-$uppercase", "set system-auth/ *[module=''pam_cracklib.so'']/argument[last()+1] dcredit=-$numeric", "set system-auth/ *[module=''pam_cracklib.so'']/argument[last()+1] ocredit=-$special"], } If anyone knows how to use onlyif and match/get to get an augeas argument based on a regular expression, I''d be happy hear about it. ~Ed On Feb 18, 8:40 am, Ed <ed.seal...@gmail.com> wrote:> I''m trying to change the password complexity requirements in > pam.d/system-auth using augeas. I can append the values (lcredit=-1, > ucredit=-1, etc) onto the correct place, but if another value is > already present (i.e. lcredit=-2), the onlyif match statement doesn''t > seem to support checking regular expressions inside of strings. How do > I check that any numeric value exists in the argument?? > > define passwordcomplexity($lowercase = "1", $uppercase = "1", > $numeric = "1", $special = "1") { > augeas { "add_lowercase_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > lcredit=-$lowercase", > onlyif => "match > system-auth/*[argument=''lcredit=*''] size == 0", > } > augeas { "add_uppercase_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > ucredit=-$uppercase", > onlyif => "match > system-auth/*[argument=''ucredit=*''] size == 0", > } > augeas { "add_numeric_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > dcredit=-$numeric", > onlyif => "match > system-auth/*[argument=''dcredit=*''] size == 0", > } > augeas { "add_special_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > ocredit=-$special", > onlyif => "match > system-auth/*[argument=''ocredit=*''] size == 0", > } > } > > This will continuously append lcredit=-2, etc onto the end of the > line, without checking the values that currently exist: > > ---------------------------------------------------- > password requisite pam_cracklib.so try_first_pass retry=3 > maxrepeat=3 lcredit=-2 ocredit=-2 dcredit=-2 > ucredit=-2 dcredit=-2 ocredit=-2 lcredit=-2 > ucredit=-2 > ----------------------------------------------------- > > ~Ed-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ed wrote:> I''m trying to change the password complexity requirements in > pam.d/system-auth using augeas. I can append the values (lcredit=-1, > ucredit=-1, etc) onto the correct place, but if another value is > already present (i.e. lcredit=-2), the onlyif match statement doesn''t > seem to support checking regular expressions inside of strings. How do > I check that any numeric value exists in the argument?? > > define passwordcomplexity($lowercase = "1", $uppercase = "1", > $numeric = "1", $special = "1") { > augeas { "add_lowercase_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > lcredit=-$lowercase", > onlyif => "match > system-auth/*[argument=''lcredit=*''] size == 0", > } > augeas { "add_uppercase_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > ucredit=-$uppercase", > onlyif => "match > system-auth/*[argument=''ucredit=*''] size == 0", > } > augeas { "add_numeric_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > dcredit=-$numeric", > onlyif => "match > system-auth/*[argument=''dcredit=*''] size == 0", > } > augeas { "add_special_reqs" : > context => "/files/etc/pam.d", > changes => "set > system-auth/*[module=''pam_cracklib.so'']/argument[last()+1] > ocredit=-$special", > onlyif => "match > system-auth/*[argument=''ocredit=*''] size == 0", > } > } > > This will continuously append lcredit=-2, etc onto the end of the > line, without checking the values that currently exist: > > ---------------------------------------------------- > password requisite pam_cracklib.so try_first_pass retry=3 > maxrepeat=3 lcredit=-2 ocredit=-2 dcredit=-2 > ucredit=-2 dcredit=-2 ocredit=-2 lcredit=-2 > ucredit=-2 > ----------------------------------------------------- > > > ~Ed > >I created a ticket about a pam type nearly a year ago and hopefully I can have a working type with the parsedfile provider sometime within the next week (I should have a real-live day off Friday). I did do some planning for type features while on a plane ride but ended up falling asleep... so that''s as far as I am right now. I''ll post to the list once I have something that resembles a working pam type. -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L''ennui est contre-révolutionnaire -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, 2010-02-18 at 18:33 -0500, Joe McDonagh wrote:> I created a ticket about a pam type nearly a year ago and hopefully I > can have a working type with the parsedfile provider sometime within the > next week (I should have a real-live day off Friday). I did do some > planning for type features while on a plane ride but ended up falling > asleep... so that''s as far as I am right now. I''ll post to the list once > I have something that resembles a working pam type.Have you thought about doing this based on Augeas rather than ParsedFile ? Depending on what exactly you want your type to do, you might even be able to write it as a ''define'' in puppet, rather than having to drop to Ruby. If the logic in your type is complex enough, though, and you have to write it in Ruby, you can still use Augeas to access, query and modify the pam entries. David -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Joe McDonagh <joseph.e.mcdonagh@gmail.com> writes:> I have not thought about using augeas because last time I tried to > build it for our standard OS (Ubuntu 8.04) IIRC it needed a newer > version of glibc.I didn''t have any trouble building the current ubuntu augeas packages for 8.04. I followed the pretty normal dpkg build process for it. (apt-get source; apt-get build-dep; debuild) No glibc weirdness. seph -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
seph wrote:> Joe McDonagh <joseph.e.mcdonagh@gmail.com> writes: > >> I have not thought about using augeas because last time I tried to >> build it for our standard OS (Ubuntu 8.04) IIRC it needed a newer >> version of glibc. > > I didn''t have any trouble building the current ubuntu augeas packages > for 8.04. I followed the pretty normal dpkg build process for > it. (apt-get source; apt-get build-dep; debuild) No glibc weirdness. > > seph >That''s weird, maybe I ran into something else or just flat out got distracted/pulled in another direction. I was thinking it might be useful for this type to have both a parsedfile and augeas provider. What do you guys think? And yes I do usually use definitions for stuff like this, but I just feel like puppet should have some security types, and IIRC the solaris ones don''t differ much from the linux ones so it''s partly a unix-agnostic type. Anybody else have more input on that last statement? -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L''ennui est contre-révolutionnaire -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sun, Feb 21, 2010 at 6:43 PM, Joe McDonagh <joseph.e.mcdonagh@gmail.com> wrote:> seph wrote: >> >> Joe McDonagh <joseph.e.mcdonagh@gmail.com> writes: >> >>> I have not thought about using augeas because last time I tried to >>> build it for our standard OS (Ubuntu 8.04) IIRC it needed a newer >>> version of glibc. >> >> I didn''t have any trouble building the current ubuntu augeas packages >> for 8.04. I followed the pretty normal dpkg build process for >> it. (apt-get source; apt-get build-dep; debuild) No glibc weirdness. >> >> seph >> > That''s weird, maybe I ran into something else or just flat out got > distracted/pulled in another direction. > > I was thinking it might be useful for this type to have both a parsedfile > and augeas provider. What do you guys think? > > And yes I do usually use definitions for stuff like this, but I just feel > like puppet should have some security types, and IIRC the solaris ones don''t > differ much from the linux ones so it''s partly a unix-agnostic type. > > Anybody else have more input on that last statement?add OS X to the Solaris/Linux PAM mix too? :) OS X 10.6 in particular makes PAM a lot more useful and authoritative.> > -- > Joe McDonagh > AIM: YoosingYoonickz > IRC: joe-mac on freenode > L''ennui est contre-révolutionnaire > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten wrote:> On Sun, Feb 21, 2010 at 6:43 PM, Joe McDonagh > <joseph.e.mcdonagh@gmail.com> wrote: >> seph wrote: >>> Joe McDonagh <joseph.e.mcdonagh@gmail.com> writes: >>> >>>> I have not thought about using augeas because last time I tried to >>>> build it for our standard OS (Ubuntu 8.04) IIRC it needed a newer >>>> version of glibc. >>> I didn''t have any trouble building the current ubuntu augeas packages >>> for 8.04. I followed the pretty normal dpkg build process for >>> it. (apt-get source; apt-get build-dep; debuild) No glibc weirdness. >>> >>> seph >>> >> That''s weird, maybe I ran into something else or just flat out got >> distracted/pulled in another direction. >> >> I was thinking it might be useful for this type to have both a parsedfile >> and augeas provider. What do you guys think? >> >> And yes I do usually use definitions for stuff like this, but I just feel >> like puppet should have some security types, and IIRC the solaris ones don''t >> differ much from the linux ones so it''s partly a unix-agnostic type. >> >> Anybody else have more input on that last statement? > > add OS X to the Solaris/Linux PAM mix too? :) > > OS X 10.6 in particular makes PAM a lot more useful and authoritative. > >> -- >> Joe McDonagh >> AIM: YoosingYoonickz >> IRC: joe-mac on freenode >> L''ennui est contre-révolutionnaire >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > > >It''s good to hear that from you- I wasn''t completely sure they had a PAM implementation, cause for instance OpenBSD doesn''t (which is the BSD I currently use the most these days). -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L''ennui est contre-révolutionnaire -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.