fix local passwords

Signed-off-by: Thomas Sjögren <[email protected]>

molecule/default/verify.yml

@@ -771,6 +771,18 @@
       changed_when: cracklib_passwords.rc != 0
       when: ansible_os_family == "Debian"
 
+    - name: Verify username password list
+      environment:
+        PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+      ansible.builtin.shell: |
+        set -o pipefail
+        grep "{{ ansible_user | default(lookup('ansible.builtin.env', 'USER')) }}" /usr/share/dict/passwords.local
+      args:
+        executable: /bin/bash
+      register: username_passwords
+      failed_when: username_passwords.rc != 0
+      changed_when: username_passwords.rc != 0
+
     - name: Index blacklisted kernel modules
       environment:
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

tasks/password.yml

@@ -254,12 +254,6 @@
     - cracklib
     - pam
 
-- name: Get local accounts
-  ansible.builtin.command:
-    cmd: awk -F':' '{print $1}' /etc/passwd
-  changed_when: false
-  register: local_accounts
-
 - name: Add local information to password list
   become: true
   ansible.builtin.lineinfile:
@@ -276,7 +270,33 @@
   loop:
     - "{{ ansible_hostname | lower }}"
     - "{{ ansible_os_family | lower }}"
-    - "{{ local_accounts.stdout | unique | trim }}"
+  tags:
+    - cracklib
+    - pam
+
+- name: Get all local user accounts
+  ansible.builtin.getent:
+    database: passwd
+  register: local_users
+  tags:
+    - cracklib
+    - pam
+
+- name: Add local usernames to password list
+  become: true
+  ansible.builtin.lineinfile:
+    dest: /usr/share/dict/passwords.local
+    mode: "0644"
+    owner: root
+    group: root
+    state: present
+    line: "{{ item }}"
+  changed_when: false
+  notify:
+    - Update Debian cracklib
+    - Update RedHat cracklib
+  with_items:
+    - "{{ local_users.ansible_facts.getent_passwd | list}}"
   tags:
     - cracklib
     - pam