Re: [Puppet Users] Augeas pam.d argument checking
David Lutterkort wrote: On Sun, 2010-02-21 at 15:06 -0500, Joe McDonagh wrote: I have not thought about using augeas because last time I tried to build it for our standard OS (Ubuntu 8.04) IIRC it needed a newer version of glibc. I haven't seen that problem - but if you run into it again, I'd very much appreciate any build logs you have (compiler output etc.) I try very hard to make Augeas only rely on a very minimalistic C library (it builds on AIX ;) David Since someone else said they built it on 8.04 I might have just gotten distracted by something else. And I didn't even get the day off I was counting on to get something done... -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L'ennui est contre-révolutionnaire -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Augeas pam.d argument checking
On Sun, 2010-02-21 at 15:06 -0500, Joe McDonagh wrote: > I have not thought about using augeas because last time I tried to build > it for our standard OS (Ubuntu 8.04) IIRC it needed a newer version of > glibc. I haven't seen that problem - but if you run into it again, I'd very much appreciate any build logs you have (compiler output etc.) I try very hard to make Augeas only rely on a very minimalistic C library (it builds on AIX ;) David -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Augeas pam.d argument checking
David Lutterkort wrote: On Thu, 2010-02-18 at 18:33 -0500, Joe McDonagh wrote: I created a ticket about a pam type nearly a year ago and hopefully I can have a working type with the parsedfile provider sometime within the next week (I should have a real-live day off Friday). I did do some planning for type features while on a plane ride but ended up falling asleep... so that's as far as I am right now. I'll post to the list once I have something that resembles a working pam type. Have you thought about doing this based on Augeas rather than ParsedFile ? Depending on what exactly you want your type to do, you might even be able to write it as a 'define' in puppet, rather than having to drop to Ruby. If the logic in your type is complex enough, though, and you have to write it in Ruby, you can still use Augeas to access, query and modify the pam entries. David I have not thought about using augeas because last time I tried to build it for our standard OS (Ubuntu 8.04) IIRC it needed a newer version of glibc. -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L'ennui est contre-révolutionnaire -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Augeas pam.d argument checking
On Thu, 2010-02-18 at 18:33 -0500, Joe McDonagh wrote: > I created a ticket about a pam type nearly a year ago and hopefully I > can have a working type with the parsedfile provider sometime within the > next week (I should have a real-live day off Friday). I did do some > planning for type features while on a plane ride but ended up falling > asleep... so that's as far as I am right now. I'll post to the list once > I have something that resembles a working pam type. Have you thought about doing this based on Augeas rather than ParsedFile ? Depending on what exactly you want your type to do, you might even be able to write it as a 'define' in puppet, rather than having to drop to Ruby. If the logic in your type is complex enough, though, and you have to write it in Ruby, you can still use Augeas to access, query and modify the pam entries. David -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Augeas pam.d argument checking
Ed wrote: I'm trying to change the password complexity requirements in pam.d/system-auth using augeas. I can append the values (lcredit=-1, ucredit=-1, etc) onto the correct place, but if another value is already present (i.e. lcredit=-2), the onlyif match statement doesn't seem to support checking regular expressions inside of strings. How do I check that any numeric value exists in the argument?? define passwordcomplexity($lowercase = "1", $uppercase = "1", $numeric = "1", $special = "1") { augeas { "add_lowercase_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] lcredit=-$lowercase", onlyif => "match system-auth/*[argument='lcredit=*'] size == 0", } augeas { "add_uppercase_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] ucredit=-$uppercase", onlyif => "match system-auth/*[argument='ucredit=*'] size == 0", } augeas { "add_numeric_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] dcredit=-$numeric", onlyif => "match system-auth/*[argument='dcredit=*'] size == 0", } augeas { "add_special_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] ocredit=-$special", onlyif => "match system-auth/*[argument='ocredit=*'] size == 0", } } This will continuously append lcredit=-2, etc onto the end of the line, without checking the values that currently exist: passwordrequisite pam_cracklib.so try_first_pass retry=3 maxrepeat=3lcredit=-2 ocredit=-2 dcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 lcredit=-2 ucredit=-2 - ~Ed I created a ticket about a pam type nearly a year ago and hopefully I can have a working type with the parsedfile provider sometime within the next week (I should have a real-live day off Friday). I did do some planning for type features while on a plane ride but ended up falling asleep... so that's as far as I am right now. I'll post to the list once I have something that resembles a working pam type. -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L'ennui est contre-révolutionnaire -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Augeas pam.d argument checking
I'm trying to change the password complexity requirements in pam.d/system-auth using augeas. I can append the values (lcredit=-1, ucredit=-1, etc) onto the correct place, but if another value is already present (i.e. lcredit=-2), the onlyif match statement doesn't seem to support checking regular expressions inside of strings. How do I check that any numeric value exists in the argument?? define passwordcomplexity($lowercase = "1", $uppercase = "1", $numeric = "1", $special = "1") { augeas { "add_lowercase_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] lcredit=-$lowercase", onlyif => "match system-auth/*[argument='lcredit=*'] size == 0", } augeas { "add_uppercase_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] ucredit=-$uppercase", onlyif => "match system-auth/*[argument='ucredit=*'] size == 0", } augeas { "add_numeric_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] dcredit=-$numeric", onlyif => "match system-auth/*[argument='dcredit=*'] size == 0", } augeas { "add_special_reqs" : context => "/files/etc/pam.d", changes => "set system-auth/*[module='pam_cracklib.so']/argument[last()+1] ocredit=-$special", onlyif => "match system-auth/*[argument='ocredit=*'] size == 0", } } This will continuously append lcredit=-2, etc onto the end of the line, without checking the values that currently exist: passwordrequisite pam_cracklib.so try_first_pass retry=3 maxrepeat=3lcredit=-2 ocredit=-2 dcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 lcredit=-2 ucredit=-2 - ~Ed -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.