So based on a posting from last year, I changed the definition to just
remove and rebuild the line in pam.d/system-auth based on the
variables passed in. Although this isn't the elegant solution that I
was searching for (breaking it up to different functions and using
"onlyif"), it does get the job done. Here is what I've got:
define passwordcomplexity($retry = "3", $lowercase = "1",
$uppercase = "1", $numeric = "1", $special = "1", $maxrepeats = "3") {
augeas { "rebuild_passwordcomplex_reqs" :
context => "/files/etc/pam.d",
changes => ["rm system-auth/
*[module='pam_cracklib.so'][type='password']/argument",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] try_first_pass",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] retry=$retry",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] maxrepeats=
$maxrepeats",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] lcredit=-$lowercase",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] ucredit=-$uppercase",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] dcredit=-$numeric",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] ocredit=-$special"],
}
If anyone knows how to use onlyif and match/get to get an augeas
argument based on a regular expression, I'd be happy hear about it.
~Ed
On Feb 18, 8:40 am, Ed <[email protected]> wrote:
> I'm trying to change the password complexity requirements in
> pam.d/system-auth using augeas. I can append the values (lcredit=-1,
> ucredit=-1, etc) onto the correct place, but if another value is
> already present (i.e. lcredit=-2), the onlyif match statement doesn't
> seem to support checking regular expressions inside of strings. How do
> I check that any numeric value exists in the argument??
>
> define passwordcomplexity($lowercase = "1", $uppercase = "1",
> $numeric = "1", $special = "1") {
> augeas { "add_lowercase_reqs" :
> context => "/files/etc/pam.d",
> changes => "set
> system-auth/*[module='pam_cracklib.so']/argument[last()+1]
> lcredit=-$lowercase",
> onlyif => "match
> system-auth/*[argument='lcredit=*'] size == 0",
> }
> augeas { "add_uppercase_reqs" :
> context => "/files/etc/pam.d",
> changes => "set
> system-auth/*[module='pam_cracklib.so']/argument[last()+1]
> ucredit=-$uppercase",
> onlyif => "match
> system-auth/*[argument='ucredit=*'] size == 0",
> }
> augeas { "add_numeric_reqs" :
> context => "/files/etc/pam.d",
> changes => "set
> system-auth/*[module='pam_cracklib.so']/argument[last()+1]
> dcredit=-$numeric",
> onlyif => "match
> system-auth/*[argument='dcredit=*'] size == 0",
> }
> augeas { "add_special_reqs" :
> context => "/files/etc/pam.d",
> changes => "set
> system-auth/*[module='pam_cracklib.so']/argument[last()+1]
> ocredit=-$special",
> onlyif => "match
> system-auth/*[argument='ocredit=*'] size == 0",
> }
> }
>
> This will continuously append lcredit=-2, etc onto the end of the
> line, without checking the values that currently exist:
>
> ----------------------------------------------------
> password requisite pam_cracklib.so try_first_pass retry=3
> maxrepeat=3 lcredit=-2 ocredit=-2 dcredit=-2
> ucredit=-2 dcredit=-2 ocredit=-2 lcredit=-2
> ucredit=-2
> -----------------------------------------------------
>
> ~Ed
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
