New in version 2.3.
parameter | required | default | choices | comments |
---|---|---|---|---|
control |
yes | The control of the PAM rule being modified. This may be a complicated control with brackets. If this is the case, be sure to put "[bracketed controls]" in quotes. The type, control and module_path all must match a rule to be modified. | ||
module_arguments |
no | When state is 'updated', the module_arguments will replace existing module_arguments. When state is 'args_absent' args matching those listed in module_arguments will be removed. When state is 'args_present' any args listed in module_arguments are added if missing from the existing rule. Furthermore, if the module argument takes a value denoted by '=', the value will be changed to that specified in module_arguments. | ||
module_path |
yes | The module path of the PAM rule being modified. The type, control and module_path all must match a rule to be modified. | ||
name |
yes | The name generally refers to the PAM service file to change, for example system-auth. | ||
new_control |
no | The control to assign to the new rule. | ||
new_module_path |
no | The control to assign to the new rule. | ||
new_type |
no | The type to assign to the new rule. | ||
path |
no | /etc/pam.d/ | This is the path to the PAM service files | |
state |
no | updated |
|
The default of 'updated' will modify an existing rule if type, control and module_path all match an existing rule. With 'before', the new rule will be inserted before a rule matching type, control and module_path. Similarly, with 'after', the new rule will be inserted after an existing rule matching type, control and module_path. With either 'before' or 'after' new_type, new_control, and new_module_path must all be specified. If state is 'args_absent' or 'args_present', new_type, new_control, and new_module_path will be ignored. |
type |
yes | The type of the PAM rule being modified. The type, control and module_path all must match a rule to be modified. |
- name: Update pamd rule's control in /etc/pam.d/system-auth pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_control: sufficient - name: Update pamd rule's complex control in /etc/pam.d/system-auth pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so new_control: '[success=2 default=ignore]' - name: Insert a new rule before an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_type: auth new_control: sufficient new_module_path: pam_faillock.so state: before - name: Insert a new rule after an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_type: auth new_control: sufficient new_module_path: pam_faillock.so state: after - name: Remove module arguments from an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: '' state: updated - name: Replace all module arguments in an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent deny=3 unlock_time=604800 fail_interval=900' state: updated - name: Remove specific arguments from a rule pamd: name: system-auth type: session control='[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: 'crond quiet' state: args_absent - name: Ensure specific arguments are present in a rule pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: 'crond quiet' state: args_present - name: Update specific argument value in a rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'fail_interval=300' state: args_present
Common return values are documented here Return Values, the following are the fields unique to this module:
name | description | returned | type | sample |
---|---|---|---|---|
dest | path to pam.d service that was changed | success | string | /etc/pam.d/system-auth |
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
This module is community maintained without core committer oversight.
For more information on what this means please read Module Support
For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Helping Testing PRs and Developing Modules.