Skip to content

Commit

Permalink
Merge pull request #101 from dev-sec/update_pwqual
Browse files Browse the repository at this point in the history
update template
  • Loading branch information
chris-rock authored Oct 24, 2016
2 parents fa59170 + 62a9101 commit 6505157
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
3 changes: 2 additions & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ os_auth_lockout_time: 600 # 10min
os_auth_timeout: 60
os_auth_allow_homeless: false
os_auth_pam_passwdqc_enable: true
os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8'
os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
os_auth_uid_min: 1000
os_auth_gid_min: 1000
Expand Down
4 changes: 4 additions & 0 deletions templates/rhel_system_auth.j2
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

{% if os_auth_pam_passwdqc_enable %}
{% if ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version >= '7' %}
password required pam_pwquality.so {{os_auth_pam_pwquality_options}}
{% else %}
password requisite pam_passwdqc.so {{os_auth_pam_passwdqc_options}}
{% endif %}
{% else %}
password requisite pam_cracklib.so try_first_pass retry=3 type=
{% endif %}
Expand Down

0 comments on commit 6505157

Please sign in to comment.