policy_pam : Enforce password min days to prevent circumvention of pwhistory
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2791|9|2782|8|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/266//ansiblelint">Evolix » ansible-roles » unstable #266</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2791|9|2782|8|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/266//ansiblelint">Evolix » ansible-roles » unstable #266</a>
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
parent
e00af3aafb
commit
5c095dc862
|
@ -29,4 +29,9 @@ policy_pam_pwquality_ocredit: 0
|
|||
policy_pam_pwhistory: true
|
||||
|
||||
# How many old passwords to retain
|
||||
policy_pam_pwhistory_length: 5
|
||||
policy_pam_pwhistory_length: 5
|
||||
|
||||
# How (days) old the password should be before allowing user to change it's password
|
||||
# It is to prevent circumvention of pam_pwhistory
|
||||
# Set to 0 to disable
|
||||
policy_pam_password_min_days: 0
|
|
@ -56,13 +56,6 @@
|
|||
insertbefore: 'pam_unix.so'
|
||||
when: policy_pam_pwhistory
|
||||
|
||||
# LATER : Enforce a password min age
|
||||
# - name: Change PASS_MIN_DAYS
|
||||
# replace:
|
||||
# dest: /etc/login.defs
|
||||
# replace: "PASS_MIN_DAYS 7"
|
||||
# regexp: '^PASS_MIN_DAYS.*'
|
||||
|
||||
- name: Disable pam_pwhistory
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
|
@ -70,6 +63,12 @@
|
|||
state: absent
|
||||
when: policy_pam_pwhistory is false
|
||||
|
||||
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
|
||||
- name: Change PASS_MIN_DAYS
|
||||
replace:
|
||||
dest: /etc/login.defs
|
||||
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
|
||||
regexp: '^PASS_MIN_DAYS(\s+).*'
|
||||
|
||||
|
||||
# PAM -- pam_unix
|
||||
|
|
Loading…
Reference in a new issue