Ludovic Poujol
5c095dc862
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend
|:-:|:-:|:-:|:-:|:-:
|2791|9|2782|8|:-1:
Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/266//ansiblelint">Evolix » ansible-roles » unstable #266</a>
gitea/ansible-roles/pipeline/head This commit looks good
87 lines
3 KiB
YAML
87 lines
3 KiB
YAML
---
|
||
#
|
||
# -password [success=1 default=ignore] pam_unix.so obscure yescrypt
|
||
# +password requisite pam_pwquality.so retry=3
|
||
# +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
|
||
|
||
|
||
|
||
# PAM -- pam_pwquality
|
||
|
||
- name: libpam-pwquality is installed
|
||
apt:
|
||
state: present
|
||
name:
|
||
- libpam-pwquality
|
||
- cracklib-runtime
|
||
when: policy_pam_pwquality
|
||
|
||
- name: Enable pam_pwquality
|
||
ansible.builtin.lineinfile:
|
||
dest: /etc/pam.d/common-password
|
||
regexp: '^password\s+requisite\s+pam_pwquality.so'
|
||
line: "password requisite pam_pwquality.so retry=3"
|
||
insertafter: '(the "Primary" block)'
|
||
when: policy_pam_pwquality
|
||
|
||
- name: Disable pam_pwquality
|
||
ansible.builtin.lineinfile:
|
||
dest: /etc/pam.d/common-password
|
||
regexp: '^password\s+requisite\s+pam_pwquality.so'
|
||
state: absent
|
||
when: policy_pam_pwquality is false
|
||
|
||
- name: Configure pam_pwquality
|
||
replace:
|
||
dest: /etc/security/pwquality.conf
|
||
regexp: "^#? ?{{ item.name }} = .*"
|
||
replace: "{{ item.name }} = {{ item.value }}"
|
||
with_items:
|
||
- { name: minlen, value: "{{ policy_pam_pwquality_minlen }}" }
|
||
- { name: dcredit, value: "{{ policy_pam_pwquality_dcredit }}" }
|
||
- { name: ucredit, value: "{{ policy_pam_pwquality_ucredit }}" }
|
||
- { name: lcredit, value: "{{ policy_pam_pwquality_lcredit }}" }
|
||
- { name: ocredit, value: "{{ policy_pam_pwquality_ocredit }}" }
|
||
when: policy_pam_pwquality
|
||
|
||
|
||
|
||
# PAM -- pam_pwhistory
|
||
|
||
- name: Enable pam_pwhistory
|
||
ansible.builtin.lineinfile:
|
||
dest: /etc/pam.d/common-password
|
||
regexp: '^password\s+required\s+pam_pwhistory.so'
|
||
line: "password required pam_pwhistory.so remember={{ policy_pam_pwhistory_length }} {{ 'use_authtok' if policy_pam_pwquality}}"
|
||
insertbefore: 'pam_unix.so'
|
||
when: policy_pam_pwhistory
|
||
|
||
- name: Disable pam_pwhistory
|
||
ansible.builtin.lineinfile:
|
||
dest: /etc/pam.d/common-password
|
||
regexp: '^password\s+required\s+pam_pwhistory.so'
|
||
state: absent
|
||
when: policy_pam_pwhistory is false
|
||
|
||
# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes
|
||
- name: Change PASS_MIN_DAYS
|
||
replace:
|
||
dest: /etc/login.defs
|
||
replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}'
|
||
regexp: '^PASS_MIN_DAYS(\s+).*'
|
||
|
||
|
||
# PAM -- pam_unix
|
||
- name: Update pam_unix if previous modules were enabled
|
||
ansible.builtin.lineinfile:
|
||
dest: /etc/pam.d/common-password
|
||
regexp: 'pam_unix.so obscure'
|
||
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt"
|
||
when: policy_pam_pwhistory or policy_pam_pwquality
|
||
|
||
- name: Update pam_unix if previous modules are all disabled
|
||
ansible.builtin.lineinfile:
|
||
dest: /etc/pam.d/common-password
|
||
regexp: 'pam_unix.so obscure'
|
||
line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt"
|
||
when: policy_pam_pwhistory is false and policy_pam_pwquality is false |