diff --git a/molecule/os_hardening/verify_tasks/ssh_auth_locked.yml b/molecule/os_hardening/verify_tasks/ssh_auth_locked.yml index 0326a950..62639538 100644 --- a/molecule/os_hardening/verify_tasks/ssh_auth_locked.yml +++ b/molecule/os_hardening/verify_tasks/ssh_auth_locked.yml @@ -73,6 +73,17 @@ - output.rc | int == 1 - "'WARNING: Your password has expired.' in output.stderr" - "'success' not in output.stdout" + when: + - ansible_facts.distribution != "OpenSuse" + +- name: Assert check unsuccessful login + ansible.builtin.assert: + that: + - output.rc | int == 5 + - output.stderr | length == 0 + - output.stdout | length == 0 + when: + - ansible_facts.distribution == "OpenSuse" - name: Check successful login with ssh key ansible.builtin.shell: diff --git a/roles/os_hardening/tasks/pam.yml b/roles/os_hardening/tasks/pam.yml index 26f14860..f4cbb042 100644 --- a/roles/os_hardening/tasks/pam.yml +++ b/roles/os_hardening/tasks/pam.yml @@ -36,6 +36,15 @@ when: - ansible_facts.os_family == 'Archlinux' +- name: Allow Login with SSH Keys, when user password is expired + ansible.builtin.lineinfile: + path: /etc/pam.d/common-account + backrefs: true + regexp: "^(account.*pam_unix.so(?!.*no_pass_expiry).*)$" + line: '\1 no_pass_expiry' + when: + - ansible_facts.os_family == 'OpenSuse' + - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 ansible.builtin.template: src: etc/libuser.conf.j2