Merge pull request dev-sec#104 from boldandbusted/boldandbusted_pam_p…

…wquality_in_RH_7 Enable pam_pwquality in rhel-family > 7
foonix · Mar 2, 2016 · 019573b · 019573b
2 parents db95a29 + b5f3d81
commit 019573b
Showing 1 changed file with 43 additions and 37 deletions.
diff --git a/recipes/pam.rb b/recipes/pam.rb
@@ -26,7 +26,7 @@
 end
 
 case node['platform_family']
-# do pam config for ubuntu
+  # do pam config for ubuntu
 when 'debian'
 
   passwdqc_path = '/usr/share/pam-configs/passwdqc'
@@ -54,7 +54,7 @@
       group 'root'
     end
 
-  # deactivate passwdqc
+    # deactivate passwdqc
   else
 
     # delete passwdqc file on ubuntu and debian
@@ -92,53 +92,59 @@
     command 'pam-auth-update --package'
   end
 
-# do config for rhel-family
+  # do config for rhel-family
 when 'rhel', 'fedora'
 
   # we do not allow to use authconfig, because it does not use the /etc/sysconfig/authconfig as a basis
   # therefore we edit /etc/pam.d/system-auth-ac/
   # @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify
 
   if node['auth']['pam']['passwdqc']['enable']
-
-    # remove pam_cracklib, because it does not play nice wiht passwdqc
-    package 'pam-cracklib' do
-      package_name node['packages']['pam_cracklib']
-      action :remove
-    end
-
-    # get the package for strong password checking
-    package 'pam-passwdqc' do
-      package_name node['packages']['pam_passwdqc']
+    if node['platform_version'].to_f < 7
+      # remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7
+      package 'pam-cracklib' do
+        package_name node['packages']['pam_cracklib']
+        action :remove
+      end
+
+      # get the package for strong password checking
+      package 'pam-passwdqc' do
+        package_name node['packages']['pam_passwdqc']
+      end
+
+      # deactivate passwdqc
+    else
+
+      # make sure the package is not on the system,
+      # if this feature is not wanted
+      package 'pam-passwdqc' do
+        package_name node['packages']['pam_passwdqc']
+        action :remove
+      end
     end
-
-  # deactivate passwdqc
   else
 
-    # make sure the package is not on the system,
-    # if this feature is not wanted
-    package 'pam-passwdqc' do
-      package_name node['packages']['pam_passwdqc']
-      action :remove
+    # In RH-family distros > 7, 'pam_pwquality' contains both pam_cracklib and pam_passwdqc
+    # See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/
+    package 'pam_pwquality' do
+      package_name node['packages']['pam_pwquality']
     end
-  end
-
-  # run the standard config
+    # run the standard config
 
-  # configure passwdqc and tally via central system-auth confic:
-  template '/etc/pam.d/system-auth-ac' do
-    source 'rhel_system_auth.erb'
-    mode 0640
-    owner 'root'
-    group 'root'
-  end
+    # configure passwdqc and tally via central system-auth confic:
+    template '/etc/pam.d/system-auth-ac' do
+      source 'rhel_system_auth.erb'
+      mode 0640
+      owner 'root'
+      group 'root'
+    end
 
-  # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
-  template '/etc/libuser.conf' do
-    source 'rhel_libuser.conf.erb'
-    mode 0640
-    owner 'root'
-    group 'root'
+    # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
+    template '/etc/libuser.conf' do
+      source 'rhel_libuser.conf.erb'
+      mode 0640
+      owner 'root'
+      group 'root'
+    end
   end
-
 end