# {{ ansible_managed }} #--- #%PAM-1.0 {% if os_auth_retries > 0 %} auth required pam_tally2.so deny={{os_auth_retries}} onerr=fail unlock_time={{os_auth_lockout_time}} {% endif %} auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so {% if os_auth_retries > 0 %} account required pam_tally2.so {% endif %} account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so {% if os_auth_pam_passwdqc_enable %} {%- if ansible_os_family == 'RedHat' and ansible_distribution_version >= '7' %} password required pam_pwquality.so {{os_auth_pam_pwquality_options}} {%- else %} password requisite pam_passwdqc.so {{os_auth_pam_passwdqc_options}} {%- endif %} {% else %} password requisite pam_cracklib.so try_first_pass retry=3 type= {% endif %} # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 # NSA 2.3.3.6 Limit Password Reuse password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so