diff --git a/attributes/default.rb b/attributes/default.rb index 175383ee..35b5629f 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -24,6 +24,15 @@ default['packages']['pam_ccreds'] = 'pam_ccreds' default['packages']['pam_passwdqc'] = 'pam_passwdqc' default['packages']['pam_cracklib'] = 'pam_cracklib' + default['packages']['pam_pwquality'] = 'libpwquality' + + if platform_version.to_f < 7 + default['auth']['pam']['passwdqc']['enable'] = true + default['auth']['pam']['pwquality']['enable'] = false + else + default['auth']['pam']['passwdqc']['enable'] = false + default['auth']['pam']['pwquality']['enable'] = true + end when 'debian' default['packages']['pam_ccreds'] = 'libpam-ccreds' @@ -59,8 +68,9 @@ default['auth']['lockout_time'] = 600 # 10min default['auth']['timeout'] = 60 default['auth']['allow_homeless'] = false -default['auth']['pam']['passwdqc']['enable'] = true default['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8' +default['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type=' +default['auth']['pam']['pwquality']['options'] = 'try_first_pass retry=3 type=' default['auth']['root_ttys'] = %w(console tty1 tty2 tty3 tty4 tty5 tty6) default['auth']['uid_min'] = 1000 default['auth']['gid_min'] = 1000 diff --git a/recipes/pam.rb b/recipes/pam.rb index daebef43..4b8a69d7 100644 --- a/recipes/pam.rb +++ b/recipes/pam.rb @@ -99,52 +99,38 @@ # therefore we edit /etc/pam.d/system-auth-ac/ # @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify - if node['auth']['pam']['passwdqc']['enable'] - if node['platform_version'].to_f < 7 - # remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7 - package 'pam-cracklib' do - package_name node['packages']['pam_cracklib'] - action :remove - end - - # get the package for strong password checking - package 'pam-passwdqc' do - package_name node['packages']['pam_passwdqc'] - end - - # deactivate passwdqc - else - - # make sure the package is not on the system, - # if this feature is not wanted - package 'pam-passwdqc' do - package_name node['packages']['pam_passwdqc'] - action :remove - end + if node['platform_version'].to_f < 7 + # remove pam_cracklib, because it does not play nice with passwdqc in versions less than 7 + package 'pam-cracklib' do + package_name node['packages']['pam_cracklib'] + action node['auth']['pam']['passwdqc']['enable'] ? :remove : :nothing end - else - # In RH-family distros > 7, 'pam_pwquality' contains both pam_cracklib and pam_passwdqc + package 'pam-passwdqc' do + package_name node['packages']['pam_passwdqc'] + action node['auth']['pam']['passwdqc']['enable'] ? :install : :remove + end + else + # In RH-family distros > 7, 'pam_pwquality' obsoletes both pam_cracklib and pam_passwdqc # See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/ package 'pam_pwquality' do package_name node['packages']['pam_pwquality'] end - # run the standard config + end - # configure passwdqc and tally via central system-auth confic: - template '/etc/pam.d/system-auth-ac' do - source 'rhel_system_auth.erb' - mode 0640 - owner 'root' - group 'root' - end + # configure passwdqc and tally via central system-auth confic: + template '/etc/pam.d/system-auth-ac' do + source 'rhel_system_auth.erb' + mode 0640 + owner 'root' + group 'root' + end - # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 - template '/etc/libuser.conf' do - source 'rhel_libuser.conf.erb' - mode 0640 - owner 'root' - group 'root' - end + # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 + template '/etc/libuser.conf' do + source 'rhel_libuser.conf.erb' + mode 0640 + owner 'root' + group 'root' end end diff --git a/templates/default/rhel_system_auth.erb b/templates/default/rhel_system_auth.erb index b0b24f9b..1e665758 100644 --- a/templates/default/rhel_system_auth.erb +++ b/templates/default/rhel_system_auth.erb @@ -22,8 +22,10 @@ account required pam_permit.so <% if node['auth']['pam']['passwdqc']['enable'] %> password requisite pam_passwdqc.so <%= node['auth']['pam']['passwdqc']['options'] %> +<% elsif node['auth']['pam']['pwquality']['enable'] %> +password requisite pam_pwquality.so <%= node['auth']['pam']['pwquality']['options'] %> <% else %> -password requisite pam_cracklib.so try_first_pass retry=3 type= +password requisite pam_cracklib.so <%= node['auth']['pam']['cracklib']['options'] %> <% end %> # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512