-
Notifications
You must be signed in to change notification settings - Fork 704
/
pam.yml
132 lines (118 loc) · 3.63 KB
/
pam.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
- name: update pam on Debian systems
command: 'pam-auth-update --package'
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
changed_when: False
environment:
DEBIAN_FRONTEND: noninteractive
# the reason for this is so a user cannot connect to a server,
# that isn't connected to an LDAP server anymore.
# normally caching credentials shouldn't be necessary for most machines.
# removing it provides some more security while not removing usability.
- name: remove pam ccreds to disable password caching
package:
name: '{{ os_packages_pam_ccreds }}'
state: 'absent'
- name: remove pam_cracklib, because it does not play nice with passwdqc
apt:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
update_cache: 'yes'
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: configure passwdqc
template:
src: 'usr/share/pam-configs/pam_passwdqd.j2'
dest: '{{ passwdqc_path }}'
mode: '0644'
owner: 'root'
group: 'root'
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: remove passwdqc
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- name: install tally2
apt:
name: 'libpam-modules'
state: 'present'
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: configure tally2
template:
src: 'usr/share/pam-configs/pam_tally2.j2'
dest: '{{ tally2_path }}'
mode: '0644'
owner: 'root'
group: 'root'
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: delete tally2 when retries is 0
file:
path: '{{ tally2_path }}'
state: 'absent'
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries == 0
- name: remove pam_cracklib, because it does not play nice with passwdqc
yum:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: remove passwdqc
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when:
- ansible_facts.os_family == 'RedHat'
- not os_auth_pam_passwdqc_enable
- name: configure passwdqc and tally via central system-auth confic
template:
src: 'etc/pam.d/rhel_system_auth.j2'
dest: '/etc/pam.d/system-auth-ac'
mode: '0640'
owner: 'root'
group: 'root'
when: ansible_facts.os_family == 'RedHat'
- name: Gather package facts
package_facts:
manager: auto
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template:
src: 'etc/libuser.conf.j2'
dest: '/etc/libuser.conf'
mode: '0640'
owner: 'root'
group: 'root'
when: "'libuser' in ansible_facts.packages"