--- - name: update pam on Debian systems command: 'pam-auth-update --package' when: ansible_facts.distribution in ['Debian', 'Ubuntu'] changed_when: false environment: DEBIAN_FRONTEND: noninteractive # the reason for this is so a user cannot connect to a server, # that isn't connected to an LDAP server anymore. # normally caching credentials shouldn't be necessary for most machines. # removing it provides some more security while not removing usability. - name: remove pam ccreds to disable password caching package: name: '{{ os_packages_pam_ccreds }}' state: 'absent' when: - ansible_facts.os_family != 'Archlinux' - name: remove pam_cracklib, because it does not play nice with passwdqc apt: name: '{{ os_packages_pam_cracklib }}' state: 'absent' when: - ansible_facts.distribution in ['Debian', 'Ubuntu'] - os_auth_pam_passwdqc_enable - name: install the package for strong password checking apt: name: '{{ os_packages_pam_passwdqc }}' state: 'present' update_cache: 'yes' when: - ansible_facts.distribution in ['Debian', 'Ubuntu'] - os_auth_pam_passwdqc_enable - name: configure passwdqc template: src: 'usr/share/pam-configs/pam_passwdqd.j2' dest: '{{ passwdqc_path }}' mode: '0644' owner: 'root' group: 'root' when: - ansible_facts.distribution in ['Debian', 'Ubuntu'] - os_auth_pam_passwdqc_enable - name: remove passwdqc apt: name: '{{ os_packages_pam_passwdqc }}' state: 'absent' when: - ansible_facts.distribution in ['Debian', 'Ubuntu'] - not os_auth_pam_passwdqc_enable - name: install tally2 apt: name: 'libpam-modules' state: 'present' when: - ansible_facts.distribution in ['Debian', 'Ubuntu'] - not os_auth_pam_passwdqc_enable - os_auth_retries > 0 - name: configure tally2 template: src: 'usr/share/pam-configs/pam_tally2.j2' dest: '{{ tally2_path }}' mode: '0644' owner: 'root' group: 'root' when: - ansible_facts.distribution in ['Debian', 'Ubuntu'] - not os_auth_pam_passwdqc_enable - os_auth_retries > 0 - name: delete tally2 when retries is 0 file: path: '{{ tally2_path }}' state: 'absent' when: - ansible_facts.distribution in ['Debian', 'Ubuntu'] - not os_auth_pam_passwdqc_enable - os_auth_retries == 0 - name: remove pam_cracklib, because it does not play nice with passwdqc yum: name: '{{ os_packages_pam_cracklib }}' state: 'absent' when: - ansible_facts.os_family == 'RedHat' - ansible_facts.distribution_major_version|int is version('7', '<') - ansible_facts.distribution != 'Amazon' - os_auth_pam_passwdqc_enable - name: install the package for strong password checking yum: name: '{{ os_packages_pam_passwdqc }}' state: 'present' when: - ansible_facts.os_family == 'RedHat' - ansible_facts.distribution_major_version|int is version('7', '<') - ansible_facts.distribution != 'Amazon' - os_auth_pam_passwdqc_enable - name: remove passwdqc yum: name: '{{ os_packages_pam_passwdqc }}' state: 'absent' when: - ansible_facts.os_family == 'RedHat' - not os_auth_pam_passwdqc_enable - name: configure passwdqc and tally via central system-auth confic template: src: 'etc/pam.d/rhel_system_auth.j2' dest: '/etc/pam.d/system-auth-ac' mode: '0640' owner: 'root' group: 'root' when: ansible_facts.os_family == 'RedHat' - name: Gather package facts package_facts: manager: auto when: - ansible_facts.os_family != 'Suse' - ansible_facts.os_family != 'Archlinux' - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 template: src: 'etc/libuser.conf.j2' dest: '/etc/libuser.conf' mode: '0640' owner: 'root' group: 'root' when: - ansible_facts.os_family != 'Suse' - ansible_facts.os_family != 'Archlinux' - "'libuser' in ansible_facts.packages"