policy_pam > Add support for Debian 10/9
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2785|7|2778|12|:+1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/269//ansiblelint">Evolix » ansible-roles » unstable #269</a>
gitea/ansible-roles/pipeline/head This commit looks good

This commit is contained in:
Ludovic Poujol 2023-06-12 11:35:53 +02:00
parent 1ec212f514
commit 9a5b5a39a9
2 changed files with 24 additions and 10 deletions

View file

@ -14,6 +14,8 @@ galaxy_info:
- name: Debian
versions:
- bullseye
- buster
- stretch
galaxy_tags: []
# Be sure to remove the '[]' above if you add dependencies

View file

@ -1,20 +1,32 @@
---
# System compatibility check. yescrypt only works on Debian 11+
# So we ensure that this role isn't executed on older systems
# System compatibility check.
# Untested on old (Jessie & older) Debian versions
- name: "System compatibility check"
assert:
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version_compare('11', '>=')
msg: pam_policy is only compatible with Debian >= 11
- ansible_distribution_major_version is version_compare('9', '>=')
msg: pam_policy is only compatible with Debian >= 9
# yescrypt, Debian 11 default hashing alg isn't present on Debian 10 and lower
- name: "Set hashing alg (sha512 - Debian <= 10)"
ansible.builtin.set_fact:
pam_policy_hashing_alg: 'sha512'
when:
ansible_distribution_major_version is version_compare('10', '<=')
- name: "Set hashing alg (yescrypt - Debian >= 11 )"
ansible.builtin.set_fact:
pam_policy_hashing_alg: 'yescrypt'
when:
ansible_distribution_major_version is version_compare('11', '>=')
# PAM -- pam_pwquality
- name: libpam-pwquality is installed
apt:
ansible.builtin.apt:
state: present
name:
- libpam-pwquality
@ -37,7 +49,7 @@
when: policy_pam_pwquality is false
- name: Configure pam_pwquality
replace:
ansible.builtin.replace:
dest: /etc/security/pwquality.conf
regexp: "^#? ?{{ item.name }} = .*"
replace: "{{ item.name }} = {{ item.value }}"
@ -70,7 +82,7 @@
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
- name: Change PASS_MIN_DAYS
replace:
ansible.builtin.replace:
dest: /etc/login.defs
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
regexp: '^PASS_MIN_DAYS(\s+).*'
@ -81,12 +93,12 @@
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: 'pam_unix.so obscure'
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt"
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass {{ pam_policy_hashing_alg }}"
when: policy_pam_pwhistory or policy_pam_pwquality
- name: Update pam_unix if previous modules are all disabled
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: 'pam_unix.so obscure'
line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt"
line: "password [success=1 default=ignore] pam_unix.so obscure {{ pam_policy_hashing_alg }}"
when: policy_pam_pwhistory is false and policy_pam_pwquality is false