ghoneycutt · ghoneycutt · Dec 30, 2024 · Jul 15, 2024 · Dec 30, 2024 · Nov 12, 2024
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -61,6 +61,7 @@ jobs:
           - "debian-12"
           - "ubuntu-2004"
           - "ubuntu-2204"
+          - "ubuntu-2404"
         puppet:
           - "puppet7"
           - "puppet8"

diff --git a/.sync.yml b/.sync.yml
@@ -12,8 +12,10 @@
       - el8
       - el9
       - debian-11
+      - debian-12
       - ubuntu-2004
       - ubuntu-2204
+      - ubuntu-2404
     puppet:
       - puppet7
       - puppet8

diff --git a/README.md b/README.md
@@ -280,6 +280,7 @@ module aims to support the current and previous major Puppet versions.
  * Debian 12
  * Ubuntu 20.04 LTS
  * Ubuntu 22.04 LTS
+ * Ubuntu 24.04 LTS
 
 ### May work
 

diff --git a/data/os/Ubuntu/24.04.yaml b/data/os/Ubuntu/24.04.yaml
@@ -0,0 +1,34 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::sshd_pam_access: absent
+pam::pam_d_login_template: pam/login.ubuntu24.erb
+pam::pam_d_sshd_template: pam/sshd.ubuntu24.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth	[success=1 default=ignore]	pam_unix.so nullok'
+  - 'auth	requisite			pam_deny.so'
+  - 'auth	required			pam_permit.so'
+  - 'auth	optional			pam_cap.so'
+pam::pam_account_lines:
+  - 'account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so'
+  - 'account	requisite			pam_deny.so'
+  - 'account	required			pam_permit.so'
+pam::pam_password_lines:
+  - 'password	[success=1 default=ignore]	pam_unix.so obscure yescrypt'
+  - 'password	requisite			pam_deny.so'
+  - 'password	required			pam_permit.so'
+pam::pam_session_lines:
+  - 'session	[default=1]			pam_permit.so'
+  - 'session	requisite			pam_deny.so'
+  - 'session	required			pam_permit.so'
+  - 'session	optional			pam_umask.so'
+  - 'session	required	pam_unix.so'
+  - 'session	optional	pam_systemd.so'
diff --git a/metadata.json b/metadata.json
@@ -85,7 +85,8 @@
       "operatingsystem": "Ubuntu",
       "operatingsystemrelease": [
         "20.04",
-        "22.04"
+        "22.04",
+        "24.04"
       ]
     }
   ],
@@ -96,7 +97,7 @@
     }
   ],
   "description": "Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments",
-  "pdk-version": "3.0.0",
+  "pdk-version": "3.3.0",
   "template-url": "https://github.com/tailored-automation/pdk-templates#main",
   "template-ref": "heads/main-0-g8e0611a"
 }
diff --git a/spec/acceptance/nodesets/ubuntu-2404.yml b/spec/acceptance/nodesets/ubuntu-2404.yml
@@ -0,0 +1,24 @@
+HOSTS:
+  ubuntu2404:
+    roles:
+      - agent
+    platform: ubuntu-24.04-amd64
+    hypervisor : docker
+    image: ubuntu:24.04
+    docker_preserve_image: true
+    docker_cmd: '["/sbin/init"]'
+    docker_image_commands:
+      - "rm -f /etc/dpkg/dpkg.cfg.d/excludes"
+      - 'apt-get install -y wget net-tools iproute2 locales apt-transport-https ca-certificates'
+      - 'locale-gen en_US.UTF-8'
+    docker_env:
+      - LANG=en_US.UTF-8
+      - LANGUAGE=en_US.UTF-8
+      - LC_ALL=en_US.UTF-8
+    docker_container_name: 'pam-ubuntu2404'
+CONFIG:
+  log_level: debug
+  type: foss
+ssh:
+  password: root
+  auth_methods: ["password"]
diff --git a/templates/login.ubuntu24.erb b/templates/login.ubuntu24.erb
@@ -0,0 +1,18 @@
+auth       optional   pam_faildelay.so  delay=3000000
+auth       requisite  pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session       required   pam_env.so readenv=1
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth       optional   pam_group.so
+session    required   pam_limits.so
+session    optional   pam_lastlog.so
+session    optional   pam_mail.so standard
+session    optional   pam_keyinit.so force revoke
+@include common-account
+@include common-session
+@include common-password
diff --git a/templates/sshd.ubuntu24.erb b/templates/sshd.ubuntu24.erb
@@ -0,0 +1,18 @@
+@include common-auth
+account    required     pam_nologin.so
+<% if @sshd_pam_access != 'absent' -%>
+account  <%= @sshd_pam_access %>     pam_access.so
+<% end -%>
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session    required     pam_loginuid.so
+session    optional     pam_keyinit.so force revoke
+@include common-session
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+session    required     pam_env.so # [1]
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password