manage non-interactive pam-session as well

Signed-off-by: Stephen Gran <steve@lobefin.net>

diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp
index da54711..bdb6df5 100644 (file)
--- a/modules/debian-org/manifests/init.pp
+++ b/modules/debian-org/manifests/init.pp
@@ -137,6 +137,10 @@ class debian-org {
                require => Package['debian.org'],
                content => template('debian-org/pam.common-session.erb'),
        }
+       file { '/etc/pam.d/common-session-noninteractive':
+               require => Package['debian.org'],
+               content => template('debian-org/pam.common-session-noninteractive.erb'),
+       }
        file { '/etc/rc.local':
                mode   => '0755',
                source => 'puppet:///modules/debian-org/rc.local',

diff --git a/modules/debian-org/templates/pam.common-session-noninteractive.erb b/modules/debian-org/templates/pam.common-session-noninteractive.erb
new file mode 100644 (file)
index 0000000..e13f989
--- /dev/null
+++ b/modules/debian-org/templates/pam.common-session-noninteractive.erb
@@ -0,0 +1,42 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<% unless lsbdistcodename == 'lenny' %>
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required        pam_unix.so     
+# end of pam-auth-update config
+<% else %>
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).  The default is pam_unix.
+#
+session        required        pam_unix.so
+<% end %>