evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity
ansible-roles/policy_pam/tasks/main.yml
Ludovic Poujol 5c095dc862
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2791|9|2782|8|:-1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/266//ansiblelint">Evolix » ansible-roles » unstable #266</a>
Details
gitea/ansible-roles/pipeline/head This commit looks good
Details
policy_pam : Enforce password min days to prevent circumvention of pwhistory
2023-06-05 10:27:22 +02:00

87 lines
3 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
#
# -password [success=1 default=ignore] pam_unix.so obscure yescrypt
# +password requisite pam_pwquality.so retry=3
# +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
# PAM -- pam_pwquality
- name: libpam-pwquality is installed
apt:
state: present
name:
- libpam-pwquality
- cracklib-runtime
when: policy_pam_pwquality
- name: Enable pam_pwquality
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+requisite\s+pam_pwquality.so'
line: "password requisite pam_pwquality.so retry=3"
insertafter: '(the "Primary" block)'
when: policy_pam_pwquality
- name: Disable pam_pwquality
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+requisite\s+pam_pwquality.so'
state: absent
when: policy_pam_pwquality is false
- name: Configure pam_pwquality
replace:
dest: /etc/security/pwquality.conf
regexp: "^#? ?{{ item.name }} = .*"
replace: "{{ item.name }} = {{ item.value }}"
with_items:
- { name: minlen, value: "{{ policy_pam_pwquality_minlen }}" }
- { name: dcredit, value: "{{ policy_pam_pwquality_dcredit }}" }
- { name: ucredit, value: "{{ policy_pam_pwquality_ucredit }}" }
- { name: lcredit, value: "{{ policy_pam_pwquality_lcredit }}" }
- { name: ocredit, value: "{{ policy_pam_pwquality_ocredit }}" }
when: policy_pam_pwquality
# PAM -- pam_pwhistory
- name: Enable pam_pwhistory
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+required\s+pam_pwhistory.so'
line: "password required pam_pwhistory.so remember={{ policy_pam_pwhistory_length }} {{ 'use_authtok' if policy_pam_pwquality}}"
insertbefore: 'pam_unix.so'
when: policy_pam_pwhistory
- name: Disable pam_pwhistory
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+required\s+pam_pwhistory.so'
state: absent
when: policy_pam_pwhistory is false
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
- name: Change PASS_MIN_DAYS
replace:
dest: /etc/login.defs
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
regexp: '^PASS_MIN_DAYS(\s+).*'
# PAM -- pam_unix
- name: Update pam_unix if previous modules were enabled
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: 'pam_unix.so obscure'
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt"
when: policy_pam_pwhistory or policy_pam_pwquality
- name: Update pam_unix if previous modules are all disabled
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: 'pam_unix.so obscure'
line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt"
when: policy_pam_pwhistory is false and policy_pam_pwquality is false
Reference in a new issue View git blame Copy permalink