Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Make changes portable

Signed-off-by: Martin Schurz <[email protected]>

Author: schurzi

molecule/os_hardening/verify_tasks/ssh_auth_locked.yml

@@ -1,9 +1,31 @@
 ---
 - name: Install tools
   package:
-    name:
-      - sshpass
+    name: "{{ item }}"
     state: present
+  ignore_errors: true
+  loop:
+    - sshpass
+    - openssh
+    - openssh-clients
+    - openssh-server
+
+- name: Allow password Login for sshd
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    search_string: PasswordAuthentication no
+    line: PasswordAuthentication yes
+  when:
+    - ansible_facts.distribution == "Amazon"
+
+- name: Start sshd service
+  ansible.builtin.service:
+    name: "{{ item }}"
+    state: started
+  ignore_errors: true
+  loop:
+    - sshd
+    - ssh
 
 - name: Set password for test
   ansible.builtin.set_fact:
@@ -16,7 +38,7 @@
 
 - name: Create ssh-client-keypair
   community.crypto.openssh_keypair:
-    path: /root/.ssh/locked_user_id
+    path: /root/locked_user_id
     type: ed25519
     state: present
   register: generated_key
@@ -29,19 +51,19 @@
 
 - name: Check successful login with password
   ansible.builtin.shell:
-    cmd: sshpass -p {{ test_pw }} ssh locked_user@localhost echo "success"
+    cmd: sshpass -p {{ test_pw }} ssh -o StrictHostKeyChecking=no locked_user@localhost echo "success"
 
 - name: Check successful login with ssh key
   ansible.builtin.shell:
-    cmd: ssh -i /root/.ssh/locked_user_id locked_user@localhost echo "success"
+    cmd: ssh -i /root/locked_user_id -o StrictHostKeyChecking=no locked_user@localhost echo "success"
 
 - name: Set password change date for locked_user
   ansible.builtin.shell:
     cmd: chage -d 2020-01-01 locked_user
 
 - name: Check unsuccessful login with password
   ansible.builtin.shell:
-    cmd: sshpass -p {{ test_pw }} ssh locked_user@localhost echo "success"
+    cmd: sshpass -p {{ test_pw }} ssh -o StrictHostKeyChecking=no locked_user@localhost echo "success"
   register: output
   ignore_errors: true
 
@@ -51,7 +73,18 @@
       - output.rc | int == 1
       - "'WARNING: Your password has expired.' in output.stderr"
       - "'success' not in output.stdout"
+  when:
+    - ansible_facts.os_family != "OpenSuse"
+
+- name: Assert check unsuccessful login
+  ansible.builtin.assert:
+    that:
+      - output.rc | int == 5
+      - output.stderr | length == 0
+      - output.stdout | length == 0
+  when:
+    - ansible_facts.os_family == "OpenSuse"
 
 - name: Check successful login with ssh key
   ansible.builtin.shell:
-    cmd: ssh -i /root/.ssh/locked_user_id locked_user@localhost echo "success"
+    cmd: ssh -i /root/locked_user_id -o StrictHostKeyChecking=no locked_user@localhost echo "success"

roles/os_hardening/tasks/pam.yml

@@ -27,6 +27,24 @@
   when:
     - ansible_facts.os_family == 'RedHat'
 
+- name: Allow Login with SSH Keys, when user password is expired
+  ansible.builtin.lineinfile:
+    path: /etc/pam.d/system-auth
+    backrefs: true
+    regexp: "^(account.*pam_unix.so(?!.*no_pass_expiry).*)$"
+    line: '\1 no_pass_expiry'
+  when:
+    - ansible_facts.os_family == 'Archlinux'
+
+- name: Allow Login with SSH Keys, when user password is expired
+  ansible.builtin.lineinfile:
+    path: /etc/pam.d/common-account
+    backrefs: true
+    regexp: "^(account.*pam_unix.so(?!.*no_pass_expiry).*)$"
+    line: '\1 no_pass_expiry'
+  when:
+    - ansible_facts.os_family == 'OpenSuse'
+
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
   ansible.builtin.template:
     src: etc/libuser.conf.j2