Encryption and major changes
This commit is contained in:
@@ -0,0 +1,10 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
|
||||
account requisite pam_deny.so
|
||||
account required pam_permit.so
|
||||
{% if faillock.matched >= 1 %}
|
||||
account required pam_faillock.so
|
||||
{% else %}
|
||||
account required pam_tally2.so
|
||||
{% endif %}
|
||||
@@ -0,0 +1,14 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% if faillock.matched >= 1 %}
|
||||
auth required pam_faillock.so preauth
|
||||
auth [success=1 default=ignore] pam_unix.so
|
||||
auth [default=die] pam_faillock.so authfail
|
||||
auth sufficient pam_faillock.so authsucc
|
||||
{% else %}
|
||||
auth [success=1 default=ignore] pam_unix.so
|
||||
auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
|
||||
{% endif %}
|
||||
auth requisite pam_deny.so
|
||||
auth required pam_permit.so
|
||||
auth optional pam_cap.so
|
||||
@@ -0,0 +1,11 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
password requisite pam_pwquality.so retry=3
|
||||
{% if ansible_os_family == 'Debian' %}
|
||||
password required pam_pwhistory.so use_authtok remember=5
|
||||
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 rounds=65536
|
||||
{% else %}
|
||||
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 rounds=65536 remember=5
|
||||
{% endif %}
|
||||
password requisite pam_deny.so
|
||||
password required pam_permit.so
|
||||
@@ -0,0 +1,33 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
auth optional pam_faildelay.so delay=4000000
|
||||
|
||||
{% if (ansible_distribution_major_version < '11' and ansible_distribution == "Debian") or ansible_distribution == "Ubuntu" %}
|
||||
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||
{% endif %}
|
||||
|
||||
auth requisite pam_nologin.so
|
||||
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
session required pam_loginuid.so
|
||||
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
@include common-auth
|
||||
|
||||
auth optional pam_group.so
|
||||
|
||||
session required pam_limits.so
|
||||
|
||||
session optional pam_lastlog.so showfailed
|
||||
|
||||
session optional pam_mail.so standard
|
||||
|
||||
session optional pam_keyinit.so force revoke
|
||||
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-password
|
||||
Reference in New Issue
Block a user