policy_pam : Enforce password min days to prevent circumvention of pwhistory
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2791|9|2782|8|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/266//ansiblelint">Evolix » ansible-roles » unstable #266</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2791|9|2782|8|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/266//ansiblelint">Evolix » ansible-roles » unstable #266</a>
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
parent
e00af3aafb
commit
5c095dc862
|
|
@ -29,4 +29,9 @@ policy_pam_pwquality_ocredit: 0
|
||||||
policy_pam_pwhistory: true
|
policy_pam_pwhistory: true
|
||||||
|
|
||||||
# How many old passwords to retain
|
# How many old passwords to retain
|
||||||
policy_pam_pwhistory_length: 5
|
policy_pam_pwhistory_length: 5
|
||||||
|
|
||||||
|
# How (days) old the password should be before allowing user to change it's password
|
||||||
|
# It is to prevent circumvention of pam_pwhistory
|
||||||
|
# Set to 0 to disable
|
||||||
|
policy_pam_password_min_days: 0
|
||||||
|
|
@ -56,13 +56,6 @@
|
||||||
insertbefore: 'pam_unix.so'
|
insertbefore: 'pam_unix.so'
|
||||||
when: policy_pam_pwhistory
|
when: policy_pam_pwhistory
|
||||||
|
|
||||||
# LATER : Enforce a password min age
|
|
||||||
# - name: Change PASS_MIN_DAYS
|
|
||||||
# replace:
|
|
||||||
# dest: /etc/login.defs
|
|
||||||
# replace: "PASS_MIN_DAYS 7"
|
|
||||||
# regexp: '^PASS_MIN_DAYS.*'
|
|
||||||
|
|
||||||
- name: Disable pam_pwhistory
|
- name: Disable pam_pwhistory
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/pam.d/common-password
|
dest: /etc/pam.d/common-password
|
||||||
|
|
@ -70,6 +63,12 @@
|
||||||
state: absent
|
state: absent
|
||||||
when: policy_pam_pwhistory is false
|
when: policy_pam_pwhistory is false
|
||||||
|
|
||||||
|
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
|
||||||
|
- name: Change PASS_MIN_DAYS
|
||||||
|
replace:
|
||||||
|
dest: /etc/login.defs
|
||||||
|
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
|
||||||
|
regexp: '^PASS_MIN_DAYS(\s+).*'
|
||||||
|
|
||||||
|
|
||||||
# PAM -- pam_unix
|
# PAM -- pam_unix
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue