added templates for debian 12

kamunas · kamunas · commit 03ec64793b36 · 2024-07-30T12:37:28.000+02:00
restored pam data and templates for debian 10 support
diff --git a/README.md b/README.md
@@ -277,6 +277,7 @@ module aims to support the current and previous major Puppet versions.
  * Amazon Linux 2
  * Debian 10
  * Debian 11
+ * Debian 12
  * Ubuntu 20.04 LTS
  * Ubuntu 22.04 LTS
 
diff --git a/data/os/Debian/10.yaml b/data/os/Debian/10.yaml
@@ -0,0 +1,31 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.debian10.erb
+pam::pam_d_sshd_template: pam/sshd.debian10.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth  [success=1 default=ignore]  pam_unix.so nullok_secure'
+  - 'auth  requisite   pam_deny.so'
+  - 'auth  required    pam_permit.so'
+pam::pam_account_lines:
+  - 'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so'
+  - 'account requisite     pam_deny.so'
+  - 'account required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password  [success=1 default=ignore]  pam_unix.so obscure sha512'
+  - 'password  requisite     pam_deny.so'
+  - 'password  required      pam_permit.so'
+pam::pam_session_lines:
+  - 'session [default=1]   pam_permit.so'
+  - 'session requisite     pam_deny.so'
+  - 'session required      pam_permit.so'
+  - 'session required      pam_unix.so'
+  - 'session optional      pam_systemd.so'
diff --git a/data/os/Debian/12.yaml b/data/os/Debian/12.yaml
@@ -0,0 +1,31 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.debian12.erb
+pam::pam_d_sshd_template: pam/sshd.debian12.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth  [success=1 default=ignore]  pam_unix.so nullok'
+  - 'auth  requisite   pam_deny.so'
+  - 'auth  required    pam_permit.so'
+pam::pam_account_lines:
+  - 'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so'
+  - 'account requisite     pam_deny.so'
+  - 'account required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password  [success=1 default=ignore]  pam_unix.so obscure yescrypt'
+  - 'password  requisite     pam_deny.so'
+  - 'password  required      pam_permit.so'
+pam::pam_session_lines:
+  - 'session [default=1]   pam_permit.so'
+  - 'session requisite     pam_deny.so'
+  - 'session required      pam_permit.so'
+  - 'session required      pam_unix.so'
+  - 'session optional      pam_systemd.so'
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -266,8 +266,8 @@
     fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 9, 10, 11, 12, 13 or 15")
   }
 
-  if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10', '11']) {
-    fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10 or 11")
+  if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10','11','12']) {
+    fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10, 11 or 12")
   }
 
   if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) {
diff --git a/metadata.json b/metadata.json
@@ -27,7 +27,8 @@
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
-        "11"
+        "11",
+        "12"
       ]
     },
     {
diff --git a/spec/acceptance/nodesets/debian-12.yml b/spec/acceptance/nodesets/debian-12.yml
@@ -0,0 +1,27 @@
+HOSTS:
+  debian11:
+    roles:
+      - agent
+    platform: debian-12-amd64
+    hypervisor: docker
+    image: debian:12
+    docker_preserve_image: true
+    docker_cmd:
+      - '/sbin/init'
+    docker_image_commands:
+      - 'apt-get install -y wget net-tools systemd-sysv locales apt-transport-https ca-certificates'
+      - 'echo "LC_ALL=en_US.UTF-8" >> /etc/environment'
+      - 'echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen'
+      - 'echo "LANG=en_US.UTF-8" > /etc/locale.conf'
+      - 'locale-gen en_US.UTF-8'
+    docker_env:
+      - LANG=en_US.UTF-8
+      - LANGUAGE=en_US.UTF-8
+      - LC_ALL=en_US.UTF-8
+    docker_container_name: 'pam-debian12'
+CONFIG:
+  log_level: debug
+  type: foss
+ssh:
+  password: root
+  auth_methods: ["password"]
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_account b/spec/fixtures/debian-12-x86_64-pam_common_account
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
+account requisite     pam_deny.so
+account required      pam_permit.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_auth b/spec/fixtures/debian-12-x86_64-pam_common_auth
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+auth  [success=1 default=ignore]  pam_unix.so nullok
+auth  requisite   pam_deny.so
+auth  required    pam_permit.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_password b/spec/fixtures/debian-12-x86_64-pam_common_password
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+password  [success=1 default=ignore]  pam_unix.so obscure yescrypt
+password  requisite     pam_deny.so
+password  required      pam_permit.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_session b/spec/fixtures/debian-12-x86_64-pam_common_session
@@ -0,0 +1,7 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive b/spec/fixtures/debian-12-x86_64-pam_common_session_noninteractive
@@ -0,0 +1,7 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/debian-12-x86_64-pam_d_login b/spec/fixtures/debian-12-x86_64-pam_d_login
@@ -0,0 +1,18 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/spec/fixtures/debian-12-x86_64-pam_d_sshd b/spec/fixtures/debian-12-x86_64-pam_d_sshd
@@ -0,0 +1,16 @@
+@include common-auth
+account    required     pam_nologin.so
+account  required     pam_access.so
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password
diff --git a/templates/login.debian10.erb b/templates/login.debian10.erb
@@ -0,0 +1,19 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/templates/login.debian12.erb b/templates/login.debian12.erb
@@ -0,0 +1,18 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/templates/sshd.debian10.erb b/templates/sshd.debian10.erb
@@ -0,0 +1,18 @@
+@include common-auth
+account    required     pam_nologin.so
+<% if @sshd_pam_access != 'absent' -%>
+account  <%= @sshd_pam_access %>     pam_access.so
+<% end -%>
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password
diff --git a/templates/sshd.debian12.erb b/templates/sshd.debian12.erb
@@ -0,0 +1,18 @@
+@include common-auth
+account    required     pam_nologin.so
+<% if @sshd_pam_access != 'absent' -%>
+account  <%= @sshd_pam_access %>     pam_access.so
+<% end -%>
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password

Original file line number	Diff line number	Diff line change
`@@ -266,8 +266,8 @@`
`266`	`266`	`fail("osfamily Suse's os.release.major is <${::facts['os']['release']['major']}> and must be 9, 10, 11, 12, 13 or 15")`
`267`	`267`	`}`
`268`	`268`
`269`		`- if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10', '11']) {`
`270`		`- fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10 or 11")`
	`269`	`+ if $facts['os']['name'] == 'Debian' and !($facts['os']['release']['major'] in ['7','8','9','10','11','12']) {`
	`270`	`+ fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10, 11 or 12")`
`271`	`271`	`}`
`272`	`272`
`273`	`273`	`if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) {`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,8 @@`
`27`	`27`	`{`
`28`	`28`	`"operatingsystem": "Debian",`
`29`	`29`	`"operatingsystemrelease": [`
`30`		`- "11"`
	`30`	`+ "11",`
	`31`	`+ "12"`
`31`	`32`	`]`
`32`	`33`	`},`
`33`	`34`	`{`