Make changes portable

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
dev-sec · Dec 22, 2024 · 1b9691c · 1b9691c
1 parent d4a9967
commit 1b9691c
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/molecule/os_hardening/verify_tasks/ssh_auth_locked.yml b/molecule/os_hardening/verify_tasks/ssh_auth_locked.yml
@@ -73,6 +73,17 @@
       - output.rc | int == 1
       - "'WARNING: Your password has expired.' in output.stderr"
       - "'success' not in output.stdout"
+  when:
+    - ansible_facts.distribution != "OpenSuse"
+
+- name: Assert check unsuccessful login
+  ansible.builtin.assert:
+    that:
+      - output.rc | int == 5
+      - output.stderr | length == 0
+      - output.stdout | length == 0
+  when:
+    - ansible_facts.distribution == "OpenSuse"
 
 - name: Check successful login with ssh key
   ansible.builtin.shell:

diff --git a/roles/os_hardening/tasks/pam.yml b/roles/os_hardening/tasks/pam.yml
@@ -36,6 +36,15 @@
   when:
     - ansible_facts.os_family == 'Archlinux'
 
+- name: Allow Login with SSH Keys, when user password is expired
+  ansible.builtin.lineinfile:
+    path: /etc/pam.d/common-account
+    backrefs: true
+    regexp: "^(account.*pam_unix.so(?!.*no_pass_expiry).*)$"
+    line: '\1 no_pass_expiry'
+  when:
+    - ansible_facts.os_family == 'OpenSuse'
+
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
   ansible.builtin.template:
     src: etc/libuser.conf.j2