community.general.pamd module – Manage PAM Modules

Note

This module is part of the community.general collection (version 6.6.9).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.pamd.

Synopsis

  • Edit PAM service’s type, control, module path and module arguments.

  • In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.

Parameters

Parameter

Comments

backup

boolean

Create a backup file including the timestamp information so you can get the original file back if you somehow clobbered it incorrectly.

Choices:

  • false ← (default)

  • true

control

string / required

The control of the PAM rule being modified.

This may be a complicated control with brackets. If this is the case, be sure to put “[bracketed controls]” in quotes.

The type, control, and module_path options all must match a rule to be modified.

module_arguments

list / elements=string

When state=updated, the module_arguments will replace existing module_arguments.

When state=args_absent args matching those listed in module_arguments will be removed.

When state=args_present any args listed in module_arguments are added if missing from the existing rule.

Furthermore, if the module argument takes a value denoted by =, the value will be changed to that specified in module_arguments.

module_path

string / required

The module path of the PAM rule being modified.

The type, control, and module_path options all must match a rule to be modified.

name

string / required

The name generally refers to the PAM service file to change, for example system-auth.

new_control

string

The new control to assign to the new rule.

new_module_path

string

The new module path to be assigned to the new rule.

new_type

string

The new type to assign to the new rule.

Choices:

  • "account"

  • "-account"

  • "auth"

  • "-auth"

  • "password"

  • "-password"

  • "session"

  • "-session"

path

path

This is the path to the PAM service files.

Default: "/etc/pam.d"

state

string

The default of updated will modify an existing rule if type, control and module_path all match an existing rule.

With before, the new rule will be inserted before a rule matching type, control and module_path.

Similarly, with after, the new rule will be inserted after an existing rulematching type, control and module_path.

With either before or after new_type, new_control, and new_module_path must all be specified.

If state is args_absent or args_present, new_type, new_control, and new_module_path will be ignored.

State absent will remove the rule.

Choices:

  • "absent"

  • "before"

  • "after"

  • "args_absent"

  • "args_present"

  • "updated" ← (default)

type

string / required

The type of the PAM rule being modified.

The type, control, and module_path options all must match a rule to be modified.

Choices:

  • "account"

  • "-account"

  • "auth"

  • "-auth"

  • "password"

  • "-password"

  • "session"

  • "-session"

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Notes

Note

  • This module does not handle authselect profiles.

Examples

- name: Update pamd rule's control in /etc/pam.d/system-auth
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    new_control: sufficient

- name: Update pamd rule's complex control in /etc/pam.d/system-auth
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    new_control: '[success=2 default=ignore]'

- name: Insert a new rule before an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    new_type: auth
    new_control: sufficient
    new_module_path: pam_faillock.so
    state: before

- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an \
        existing rule pam_rootok.so
  community.general.pamd:
    name: su
    type: auth
    control: sufficient
    module_path: pam_rootok.so
    new_type: auth
    new_control: required
    new_module_path: pam_wheel.so
    module_arguments: 'use_uid'
    state: after

- name: Remove module arguments from an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: ''
    state: updated

- name: Replace all module arguments in an existing rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: 'preauth
        silent
        deny=3
        unlock_time=604800
        fail_interval=900'
    state: updated

- name: Remove specific arguments from a rule
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments: crond,quiet
    state: args_absent

- name: Ensure specific arguments are present in a rule
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments: crond,quiet
    state: args_present

- name: Ensure specific arguments are present in a rule (alternative)
  community.general.pamd:
    name: system-auth
    type: session
    control: '[success=1 default=ignore]'
    module_path: pam_succeed_if.so
    module_arguments:
    - crond
    - quiet
    state: args_present

- name: Module arguments requiring commas must be listed as a Yaml list
  community.general.pamd:
    name: special-module
    type: account
    control: required
    module_path: pam_access.so
    module_arguments:
    - listsep=,
    state: args_present

- name: Update specific argument value in a rule
  community.general.pamd:
    name: system-auth
    type: auth
    control: required
    module_path: pam_faillock.so
    module_arguments: 'fail_interval=300'
    state: args_present

- name: Add pam common-auth rule for duo
  community.general.pamd:
    name: common-auth
    new_type: auth
    new_control: '[success=1 default=ignore]'
    new_module_path: '/lib64/security/pam_duo.so'
    state: after
    type: auth
    module_path: pam_sss.so
    control: 'requisite'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

backupdest

string

The file name of the backup file, if created.

Returned: success

change_count

integer

How many rules were changed.

Returned: success

Sample: 1

Authors

  • Kenneth D. Evensen (@kevensen)