Merge pull request #101 from dev-sec/update_pwqual

update template

Author: chris-rock

defaults/main.yml

@@ -8,7 +8,8 @@ os_auth_lockout_time: 600 # 10min
 os_auth_timeout: 60
 os_auth_allow_homeless: false
 os_auth_pam_passwdqc_enable: true
-os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8'
+os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
+os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
 os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

templates/rhel_system_auth.j2

@@ -19,7 +19,11 @@ account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 
 {% if os_auth_pam_passwdqc_enable %}
+  {% if ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version >= '7' %}
+password    required      pam_pwquality.so {{os_auth_pam_pwquality_options}}
+  {% else %}
 password    requisite     pam_passwdqc.so {{os_auth_pam_passwdqc_options}}
+  {% endif %}
 {% else %}
 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 {% endif %}