policy_pam > Add support for Debian 10/9
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2785|7|2778|12|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/269//ansiblelint">Evolix » ansible-roles » unstable #269</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2785|7|2778|12|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/269//ansiblelint">Evolix » ansible-roles » unstable #269</a>
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
parent
1ec212f514
commit
9a5b5a39a9
2 changed files with 24 additions and 10 deletions
|
@ -14,6 +14,8 @@ galaxy_info:
|
|||
- name: Debian
|
||||
versions:
|
||||
- bullseye
|
||||
- buster
|
||||
- stretch
|
||||
|
||||
galaxy_tags: []
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
|
|
|
@ -1,20 +1,32 @@
|
|||
---
|
||||
|
||||
# System compatibility check. yescrypt only works on Debian 11+
|
||||
# So we ensure that this role isn't executed on older systems
|
||||
# System compatibility check.
|
||||
# Untested on old (Jessie & older) Debian versions
|
||||
- name: "System compatibility check"
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version_compare('11', '>=')
|
||||
msg: pam_policy is only compatible with Debian >= 11
|
||||
- ansible_distribution_major_version is version_compare('9', '>=')
|
||||
msg: pam_policy is only compatible with Debian >= 9
|
||||
|
||||
# yescrypt, Debian 11 default hashing alg isn't present on Debian 10 and lower
|
||||
- name: "Set hashing alg (sha512 - Debian <= 10)"
|
||||
ansible.builtin.set_fact:
|
||||
pam_policy_hashing_alg: 'sha512'
|
||||
when:
|
||||
ansible_distribution_major_version is version_compare('10', '<=')
|
||||
|
||||
- name: "Set hashing alg (yescrypt - Debian >= 11 )"
|
||||
ansible.builtin.set_fact:
|
||||
pam_policy_hashing_alg: 'yescrypt'
|
||||
when:
|
||||
ansible_distribution_major_version is version_compare('11', '>=')
|
||||
|
||||
|
||||
# PAM -- pam_pwquality
|
||||
|
||||
- name: libpam-pwquality is installed
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
state: present
|
||||
name:
|
||||
- libpam-pwquality
|
||||
|
@ -37,7 +49,7 @@
|
|||
when: policy_pam_pwquality is false
|
||||
|
||||
- name: Configure pam_pwquality
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/security/pwquality.conf
|
||||
regexp: "^#? ?{{ item.name }} = .*"
|
||||
replace: "{{ item.name }} = {{ item.value }}"
|
||||
|
@ -70,7 +82,7 @@
|
|||
|
||||
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
|
||||
- name: Change PASS_MIN_DAYS
|
||||
replace:
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/login.defs
|
||||
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
|
||||
regexp: '^PASS_MIN_DAYS(\s+).*'
|
||||
|
@ -81,12 +93,12 @@
|
|||
ansible.builtin.lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
regexp: 'pam_unix.so obscure'
|
||||
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt"
|
||||
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass {{ pam_policy_hashing_alg }}"
|
||||
when: policy_pam_pwhistory or policy_pam_pwquality
|
||||
|
||||
- name: Update pam_unix if previous modules are all disabled
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
regexp: 'pam_unix.so obscure'
|
||||
line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt"
|
||||
line: "password [success=1 default=ignore] pam_unix.so obscure {{ pam_policy_hashing_alg }}"
|
||||
when: policy_pam_pwhistory is false and policy_pam_pwquality is false
|
Loading…
Reference in a new issue