diff options
-rw-r--r-- | files/etc/pam.d/gdm | 12 | ||||
-rw-r--r-- | files/etc/pam.d/login | 84 | ||||
-rw-r--r-- | manifests/init.pp | 24 | ||||
-rw-r--r-- | manifests/utils.pp | 3 |
4 files changed, 121 insertions, 2 deletions
diff --git a/files/etc/pam.d/gdm b/files/etc/pam.d/gdm new file mode 100644 index 0000000..c8c9888 --- /dev/null +++ b/files/etc/pam.d/gdm @@ -0,0 +1,12 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +@include common-auth +auth optional pam_gnome_keyring.so +@include common-account +session required pam_limits.so +@include common-session +session optional pam_gnome_keyring.so auto_start +@include common-password +@include common-pammount diff --git a/files/etc/pam.d/login b/files/etc/pam.d/login new file mode 100644 index 0000000..fd498c4 --- /dev/null +++ b/files/etc/pam.d/login @@ -0,0 +1,84 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. +# Uncomment the following line to enable SELinux +# session required pam_selinux.so select_context + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password +@include common-pammount diff --git a/manifests/init.pp b/manifests/init.pp index 152fcd1..f66edb1 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -190,6 +190,30 @@ class nodo::desktop inherits nodo::physical { mode => 0644, ensure => present, } + + # data + file { "/var/data": + ensure => directory, + mode => 0755, + } + + # pam - login + file { "/etc/pam.d/login": + source => "puppet://$desktop/modules/nodo/etc/pam.d/login", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } + + # pam - gdm + file { "/etc/pam.d/gdm": + source => "puppet://$desktop/modules/nodo/etc/pam.d/gdm", + owner => "root", + group => "root", + mode => 0644, + ensure => present, + } } class nodo::vserver inherits nodo { diff --git a/manifests/utils.pp b/manifests/utils.pp index b30bb4d..b38c585 100644 --- a/manifests/utils.pp +++ b/manifests/utils.pp @@ -26,7 +26,7 @@ class utils::web { } } -# Common utilities for desktops +# Common utilities for desktop class utils::desktop { package { [ 'awesome', 'alsa-tools-gui', 'mutt', 'irssi', 'offlineimap', 'wyrd', @@ -36,4 +36,3 @@ class utils::desktop { ensure => installed, } } - |