policy_pam > Add support for Debian 10/9
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2785|7|2778|12|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/269//ansiblelint">Evolix » ansible-roles » unstable #269</a>
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2785|7|2778|12|:+1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/269//ansiblelint">Evolix » ansible-roles » unstable #269</a>
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
parent
1ec212f514
commit
9a5b5a39a9
|
@ -14,6 +14,8 @@ galaxy_info:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- bullseye
|
- bullseye
|
||||||
|
- buster
|
||||||
|
- stretch
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags: []
|
||||||
# Be sure to remove the '[]' above if you add dependencies
|
# Be sure to remove the '[]' above if you add dependencies
|
||||||
|
|
|
@ -1,20 +1,32 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
# System compatibility check. yescrypt only works on Debian 11+
|
# System compatibility check.
|
||||||
# So we ensure that this role isn't executed on older systems
|
# Untested on old (Jessie & older) Debian versions
|
||||||
- name: "System compatibility check"
|
- name: "System compatibility check"
|
||||||
assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version_compare('11', '>=')
|
- ansible_distribution_major_version is version_compare('9', '>=')
|
||||||
msg: pam_policy is only compatible with Debian >= 11
|
msg: pam_policy is only compatible with Debian >= 9
|
||||||
|
|
||||||
|
# yescrypt, Debian 11 default hashing alg isn't present on Debian 10 and lower
|
||||||
|
- name: "Set hashing alg (sha512 - Debian <= 10)"
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
pam_policy_hashing_alg: 'sha512'
|
||||||
|
when:
|
||||||
|
ansible_distribution_major_version is version_compare('10', '<=')
|
||||||
|
|
||||||
|
- name: "Set hashing alg (yescrypt - Debian >= 11 )"
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
pam_policy_hashing_alg: 'yescrypt'
|
||||||
|
when:
|
||||||
|
ansible_distribution_major_version is version_compare('11', '>=')
|
||||||
|
|
||||||
|
|
||||||
# PAM -- pam_pwquality
|
# PAM -- pam_pwquality
|
||||||
|
|
||||||
- name: libpam-pwquality is installed
|
- name: libpam-pwquality is installed
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
state: present
|
state: present
|
||||||
name:
|
name:
|
||||||
- libpam-pwquality
|
- libpam-pwquality
|
||||||
|
@ -37,7 +49,7 @@
|
||||||
when: policy_pam_pwquality is false
|
when: policy_pam_pwquality is false
|
||||||
|
|
||||||
- name: Configure pam_pwquality
|
- name: Configure pam_pwquality
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/security/pwquality.conf
|
dest: /etc/security/pwquality.conf
|
||||||
regexp: "^#? ?{{ item.name }} = .*"
|
regexp: "^#? ?{{ item.name }} = .*"
|
||||||
replace: "{{ item.name }} = {{ item.value }}"
|
replace: "{{ item.name }} = {{ item.value }}"
|
||||||
|
@ -70,7 +82,7 @@
|
||||||
|
|
||||||
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
|
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
|
||||||
- name: Change PASS_MIN_DAYS
|
- name: Change PASS_MIN_DAYS
|
||||||
replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/login.defs
|
dest: /etc/login.defs
|
||||||
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
|
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
|
||||||
regexp: '^PASS_MIN_DAYS(\s+).*'
|
regexp: '^PASS_MIN_DAYS(\s+).*'
|
||||||
|
@ -81,12 +93,12 @@
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/pam.d/common-password
|
dest: /etc/pam.d/common-password
|
||||||
regexp: 'pam_unix.so obscure'
|
regexp: 'pam_unix.so obscure'
|
||||||
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt"
|
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass {{ pam_policy_hashing_alg }}"
|
||||||
when: policy_pam_pwhistory or policy_pam_pwquality
|
when: policy_pam_pwhistory or policy_pam_pwquality
|
||||||
|
|
||||||
- name: Update pam_unix if previous modules are all disabled
|
- name: Update pam_unix if previous modules are all disabled
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/pam.d/common-password
|
dest: /etc/pam.d/common-password
|
||||||
regexp: 'pam_unix.so obscure'
|
regexp: 'pam_unix.so obscure'
|
||||||
line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt"
|
line: "password [success=1 default=ignore] pam_unix.so obscure {{ pam_policy_hashing_alg }}"
|
||||||
when: policy_pam_pwhistory is false and policy_pam_pwquality is false
|
when: policy_pam_pwhistory is false and policy_pam_pwquality is false
|
Loading…
Reference in a new issue