New in version 2.3.
Parameter | Choices/Defaults | Comments |
---|---|---|
backup bool (added in 2.6) |
| Create a backup file including the timestamp information so you can get the original file back if you somehow clobbered it incorrectly. |
control required | The control of the PAM rule being modified. This may be a complicated control with brackets. If this is the case, be sure to put "[bracketed controls]" in quotes. The type, control and module_path all must match a rule to be modified. | |
module_arguments | When state is 'updated', the module_arguments will replace existing module_arguments. When state is 'args_absent' args matching those listed in module_arguments will be removed. When state is 'args_present' any args listed in module_arguments are added if missing from the existing rule. Furthermore, if the module argument takes a value denoted by '=', the value will be changed to that specified in module_arguments. Note that module_arguments is a list. Please see the examples for usage. | |
module_path required | The module path of the PAM rule being modified. The type, control and module_path all must match a rule to be modified. | |
name required | The name generally refers to the PAM service file to change, for example system-auth. | |
new_control | The new control to assign to the new rule. | |
new_module_path | The new module path to be assigned to the new rule. | |
new_type | The new type to assign to the new rule. | |
path | Default: /etc/pam.d/ | This is the path to the PAM service files |
state |
| The default of 'updated' will modify an existing rule if type, control and module_path all match an existing rule. With 'before', the new rule will be inserted before a rule matching type, control and module_path. Similarly, with 'after', the new rule will be inserted after an existing rule matching type, control and module_path. With either 'before' or 'after' new_type, new_control, and new_module_path must all be specified. If state is 'args_absent' or 'args_present', new_type, new_control, and new_module_path will be ignored. State 'absent' will remove the rule. The 'absent' state was added in version 2.4 and is only available in Ansible versions >= 2.4. |
type required | The type of the PAM rule being modified. The type, control and module_path all must match a rule to be modified. |
- name: Update pamd rule's control in /etc/pam.d/system-auth pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_control: sufficient - name: Update pamd rule's complex control in /etc/pam.d/system-auth pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so new_control: '[success=2 default=ignore]' - name: Insert a new rule before an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_type: auth new_control: sufficient new_module_path: pam_faillock.so state: before - name: Insert a new rule pam_wheel.so with argument 'use_uid' after an existing rule pam_rootok.so pamd: name: su type: auth control: sufficient module_path: pam_rootok.so new_type: auth new_control: required new_module_path: pam_wheel.so module_arguments: 'use_uid' state: after - name: Remove module arguments from an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: '' state: updated - name: Replace all module arguments in an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent deny=3 unlock_time=604800 fail_interval=900' state: updated - name: Remove specific arguments from a rule pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: crond,quiet state: args_absent - name: Ensure specific arguments are present in a rule pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: crond,quiet state: args_present - name: Ensure specific arguments are present in a rule (alternative) pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: - crond - quiet state: args_present - name: Module arguments requiring commas must be listed as a Yaml list pamd: name: special-module type: account control: required module_path: pam_access.so module_arguments: - listsep=, state: args_present - name: Update specific argument value in a rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'fail_interval=300' state: args_present - name: Add pam common-auth rule for duo pamd: name: common-auth new_type: auth new_control: '[success=1 default=ignore]' new_module_path: '/lib64/security/pam_duo.so' state: after type: auth module_path: pam_sss.so control: 'requisite'
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
action string (added in 2.4) | always | That action that was taken and is one of: update_rule, insert_before_rule, insert_after_rule, args_present, args_absent, absent. Sample: update_rule |
backupdest string (added in 2.6) | success | The file name of the backup file, if created. |
change_count int (added in 2.4) | success | How many rules were changed Sample: 1 |
dest string | success | Path to pam.d service that was changed. This is only available in Ansible version 2.3 and was removed in 2.4. Sample: /etc/pam.d/system-auth |
new_rule string (added in 2.4) | success | The changes to the rule. This was available in Ansible version 2.4 and 2.5. It was removed in 2.6. Sample: None None None sha512 shadow try_first_pass use_authtok |
updated_rule_(n) string (added in 2.4) | success | The rule(s) that was/were changed. This is only available in Ansible version 2.4 and was removed in 2.5. Sample: ['password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok'] |
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.
For a list of other modules that are also maintained by the Ansible Community, see here.
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.7/modules/pamd_module.html