diff --git a/CHANGELOG.md b/CHANGELOG.md index 798f726..f926cbb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # CHANGELOG +## 0.1.22 + +* dropped descriptions for cracklib facts + ## 0.1.21 * Added support for Ubuntu to **pam::unix** diff --git a/lib/facter/eyp_cracklib_facts.rb b/lib/facter/eyp_cracklib_facts.rb index 635c15d..c28eb38 100644 --- a/lib/facter/eyp_cracklib_facts.rb +++ b/lib/facter/eyp_cracklib_facts.rb @@ -21,11 +21,6 @@ minlen end end - Facter.add('eyp_pam_cracklib_password_minlen_description') do - setcode do - 'Minimum acceptable size for the new password' - end - end end unless ocredit.nil? or ocredit.empty? @@ -34,11 +29,6 @@ ocredit end end - Facter.add('eyp_pam_cracklib_password_ocredit_description') do - setcode do - 'The maximum credit for having other characters in the new password' - end - end end unless lcredit.nil? or lcredit.empty? @@ -47,11 +37,6 @@ lcredit end end - Facter.add('eyp_pam_cracklib_password_lcredit_description') do - setcode do - 'The maximum credit for having lowercase characters in the new password' - end - end end unless ucredit.nil? or ucredit.empty? @@ -60,11 +45,6 @@ ucredit end end - Facter.add('eyp_pam_cracklib_password_ucredit_description') do - setcode do - 'The maximum credit for having uppercase characters in the new password' - end - end end unless dcredit.nil? or dcredit.empty? @@ -73,9 +53,4 @@ dcredit end end - Facter.add('eyp_pam_cracklib_password_dcredit_description') do - setcode do - 'The maximum credit for having digits in the new password' - end - end end diff --git a/manifests/params.pp b/manifests/params.pp index 0f0cc76..175ac08 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -62,6 +62,7 @@ $use_authconfig=false $use_pwhistory=true $pwhistory_pamd='/etc/pam.d/common-password' + $password_hash_algo_default = 'sha512' case $::operatingsystem { 'Ubuntu': diff --git a/manifests/unix/config.pp b/manifests/unix/config.pp index b7d5abd..1a16f39 100644 --- a/manifests/unix/config.pp +++ b/manifests/unix/config.pp @@ -53,7 +53,35 @@ require => Exec['red wedding'], } - #TODO: ${pam::unix::password_hash_algo} + # TODO: ${pam::unix::password_hash_algo} + # RHEL7 pam_unix.so use_authtok try_first_pass nullok sha512 shadow + # Ubuntu 16: pam_unix.so use_authtok try_first_pass sha512 obscure + + # nullok + # The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default and allows any user with a blank + # password to access the service. + # + # shadow + # Try to maintain a shadow based system. + # + # obscure + # Enable some extra checks on password strength. These checks are based on the "obscure" checks in the original shadow package. The behavior is similar to the pam_cracklib module, but for + # non-dictionary-based checks. The following checks are implemented: + # + # Palindrome + # Verifies that the new password is not a palindrome of (i.e., the reverse of) the previous one. + # + # Case Change Only + # Verifies that the new password isn't the same as the old one with a change of case. + # + # Similar + # Verifies that the new password isn't too much like the previous one. + # + # Simple + # Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc.) used. + # + # Rotated + # Is the new password a rotated version of the old password? (E.g., "billy" and "illyb") } else diff --git a/metadata.json b/metadata.json index bf56c32..bee6806 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "eyp-pam", - "version": "0.1.21", + "version": "0.1.22", "author": "eyp", "summary": "PAM modules, /etc/security/limits.conf and /etc/securetty management", "license": "Apache-2.0",