evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 33 Wiki Activity
ansible-roles/policy_pam/tasks/main.yml
Ludovic Poujol 91bcd2a605
All checks were successful
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2785|11|2774|2|:-1: Reference build: <a href="https://jenkins.evolix.org/job/gitea/job/ansible-roles/job/unstable/255//ansiblelint">Evolix » ansible-roles » unstable #255</a>
Details
gitea/ansible-roles/pipeline/head This commit looks good
Details
policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory
2023-05-25 11:43:53 +02:00

88 lines
2.9 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
#
# -password [success=1 default=ignore] pam_unix.so obscure yescrypt
# +password requisite pam_pwquality.so retry=3
# +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
# PAM -- pam_pwquality
- name: libpam-pwquality is installed
apt:
state: present
name:
- libpam-pwquality
- cracklib-runtime
when: policy_pam_pwquality
- name: Enable pam_pwquality
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+requisite\s+pam_pwquality.so'
line: "password requisite pam_pwquality.so retry=3"
insertafter: '(the "Primary" block)'
when: policy_pam_pwquality
- name: Disable pam_pwquality
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+requisite\s+pam_pwquality.so'
state: absent
when: policy_pam_pwquality is false
- name: Configure pam_pwquality
replace:
dest: /etc/security/pwquality.conf
regexp: "^#? ?{{ item.name }} = .*"
replace: "{{ item.name }} = {{ item.value }}"
with_items:
- { name: minlen, value: "{{ policy_pam_pwquality_minlen }}" }
- { name: dcredit, value: "{{ policy_pam_pwquality_dcredit }}" }
- { name: ucredit, value: "{{ policy_pam_pwquality_ucredit }}" }
- { name: lcredit, value: "{{ policy_pam_pwquality_lcredit }}" }
- { name: ocredit, value: "{{ policy_pam_pwquality_ocredit }}" }
when: policy_pam_pwquality
# PAM -- pam_pwhistory
- name: Enable pam_pwhistory
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+required\s+pam_pwhistory.so'
line: "password required pam_pwhistory.so remember={{ policy_pam_pwhistory_length }} {{ 'use_authtok' if policy_pam_pwquality}}"
insertbefore: 'pam_unix.so'
when: policy_pam_pwhistory
# LATER : Enforce a password min age
# - name: Change PASS_MIN_DAYS
# replace:
# dest: /etc/login.defs
# replace: "PASS_MIN_DAYS 7"
# regexp: '^PASS_MIN_DAYS.*'
- name: Disable pam_pwhistory
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+required\s+pam_pwhistory.so'
state: absent
when: policy_pam_pwhistory is false
# PAM -- pam_unix
- name: Update pam_unix if previous modules were enabled
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: 'pam_unix.so obscure'
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt"
when: policy_pam_pwhistory or policy_pam_pwquality
- name: Update pam_unix if previous modules are all disabled
ansible.builtin.lineinfile:
dest: /etc/pam.d/common-password
regexp: 'pam_unix.so obscure'
line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt"
when: policy_pam_pwhistory is false and policy_pam_pwquality is false
Reference in a new issue View git blame Copy permalink