ansible / ansible.builtin / v2.9.21 / module / pamd Manage PAM Modules | "added in version" 2.3 of ansible.builtin" Authors: Kenneth D. Evensen (@kevensen) preview | supported by communityansible.builtin.pamd (v2.9.21) — module
pip
Install with pip install ansible==2.9.21
Edit PAM service's type, control, module path and module arguments.
In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.
- name: Update pamd rule's control in /etc/pam.d/system-auth pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_control: sufficient
- name: Update pamd rule's complex control in /etc/pam.d/system-auth pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so new_control: '[success=2 default=ignore]'
- name: Insert a new rule before an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_type: auth new_control: sufficient new_module_path: pam_faillock.so state: before
- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an \ existing rule pam_rootok.so pamd: name: su type: auth control: sufficient module_path: pam_rootok.so new_type: auth new_control: required new_module_path: pam_wheel.so module_arguments: 'use_uid' state: after
- name: Remove module arguments from an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: '' state: updated
- name: Replace all module arguments in an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent deny=3 unlock_time=604800 fail_interval=900' state: updated
- name: Remove specific arguments from a rule pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: crond,quiet state: args_absent
- name: Ensure specific arguments are present in a rule pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: crond,quiet state: args_present
- name: Ensure specific arguments are present in a rule (alternative) pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: - crond - quiet state: args_present
- name: Module arguments requiring commas must be listed as a Yaml list pamd: name: special-module type: account control: required module_path: pam_access.so module_arguments: - listsep=, state: args_present
- name: Update specific argument value in a rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'fail_interval=300' state: args_present
- name: Add pam common-auth rule for duo pamd: name: common-auth new_type: auth new_control: '[success=1 default=ignore]' new_module_path: '/lib64/security/pam_duo.so' state: after type: auth module_path: pam_sss.so control: 'requisite'
name: description: - The name generally refers to the PAM service file to change, for example system-auth. required: true type: str path: default: /etc/pam.d description: - This is the path to the PAM service files. type: path type: choices: - account - -account - auth - -auth - password - -password - session - -session description: - The type of the PAM rule being modified. - The C(type), C(control) and C(module_path) all must match a rule to be modified. required: true type: str state: choices: - absent - before - after - args_absent - args_present - updated default: updated description: - The default of C(updated) will modify an existing rule if type, control and module_path all match an existing rule. - With C(before), the new rule will be inserted before a rule matching type, control and module_path. - Similarly, with C(after), the new rule will be inserted after an existing rulematching type, control and module_path. - With either C(before) or C(after) new_type, new_control, and new_module_path must all be specified. - If state is C(args_absent) or C(args_present), new_type, new_control, and new_module_path will be ignored. - State C(absent) will remove the rule. The 'absent' state was added in Ansible 2.4. type: str backup: default: false description: - Create a backup file including the timestamp information so you can get the original file back if you somehow clobbered it incorrectly. type: bool version_added: '2.6' version_added_collection: ansible.builtin control: description: - The control of the PAM rule being modified. - This may be a complicated control with brackets. If this is the case, be sure to put "[bracketed controls]" in quotes. - The C(type), C(control) and C(module_path) all must match a rule to be modified. required: true type: str new_type: choices: - account - -account - auth - -auth - password - -password - session - -session description: - The new type to assign to the new rule. type: str module_path: description: - The module path of the PAM rule being modified. - The C(type), C(control) and C(module_path) all must match a rule to be modified. required: true type: str new_control: description: - The new control to assign to the new rule. type: str new_module_path: description: - The new module path to be assigned to the new rule. type: str module_arguments: description: - When state is C(updated), the module_arguments will replace existing module_arguments. - When state is C(args_absent) args matching those listed in module_arguments will be removed. - When state is C(args_present) any args listed in module_arguments are added if missing from the existing rule. - Furthermore, if the module argument takes a value denoted by C(=), the value will be changed to that specified in module_arguments. type: list
action: description: - 'That action that was taken and is one of: update_rule, insert_before_rule, insert_after_rule, args_present, args_absent, absent. This was available in Ansible 2.4 and removed in Ansible 2.8' returned: always sample: update_rule type: str version_added: 2.4 version_added_collection: ansible.builtin backupdest: description: - The file name of the backup file, if created. returned: success type: str version_added: 2.6 version_added_collection: ansible.builtin change_count: description: How many rules were changed. returned: success sample: 1 type: int version_added: 2.4 version_added_collection: ansible.builtin dest: description: - Path to pam.d service that was changed. This is only available in Ansible 2.3 and was removed in Ansible 2.4. returned: success sample: /etc/pam.d/system-auth type: str new_rule: description: The changes to the rule. This was available in Ansible 2.4 and Ansible 2.5. It was removed in Ansible 2.6. returned: success sample: None None None sha512 shadow try_first_pass use_authtok type: str version_added: 2.4 version_added_collection: ansible.builtin updated_rule_(n): description: The rule(s) that was/were changed. This is only available in Ansible 2.4 and was removed in Ansible 2.5. returned: success sample: - password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok type: str version_added: 2.4 version_added_collection: ansible.builtin