linux 如何在不破坏服务器身份验证的情况下使用ansible传输pam. d配置参数?

jhkqcmku  于 2022-11-28  发布在  Linux
关注(0)|答案(1)|浏览(104)

我遇到了一个问题,我需要帮助。我需要锁定用户后,多次登录失败与ansible。为了做到这一点,我需要改变2个文件在我的ubuntu 22**'公共帐户''公共身份'。当我做在手动,一切工作正常。
只需在
"公共帐户"**中添加1行:

account required pam_faillock.so

和**'公用身份验证'**中的3行

# existed comment lines in file
auth required pam_faillock.so preauth audit deny=3 unlock_time=120 fail_interval=60
# existed comment lines in file
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=120 fail_interval=60
auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=120 fail_interval=60
#another existed config parameters in file

但是当我需要用ansible自动化时,我遇到了一个问题。**失败!=〉{" msg ":"sudo密码不正确"}这是因为ansible在一个ssh连接期间只更改了'common-auth'**一行。并且,在添加了" auth [default = die] pam_faillock.so authfail ..."行之后,我得到了上面的错误。
我已经尝试了几种方法,使用不同的ansible模块(pamd,lineinfile,assemble,loop,with_item),但是问题仍然存在。你可以在下面找到我的两种方法的代码。第一种是with_item,第二种是pamd。

---

- name: Number of tries during loging account
  lineinfile:
     state: present
     dest: '{{ pamd_account_file_ub }}'
     regexp: '^{{ item.search }}'
     line: '{{ item.replace }}'
  with_items:
      - { search: 'account required pam_faillock.so', replace: 'account required pam_faillock.so' }

- name: Number of tries during loging auth preauth
  community.general.pamd:
    name: common-auth
    type: auth
    control: '[success=1 default=ignore]'
    module_path: pam_unix.so
    new_type: auth
    new_control: required
    new_module_path: pam_faillock.so
    module_arguments:
     - 'preauth'
     - 'audit'
     - 'silent'
     - 'deny={{ number_of_login_try_before_block }}'
     - 'unlock_time={{ unlock_time }}'
     - 'fail_interval={{ fail_interval }}'
    state: before

- name: Number of tries during loging auth authfail authsucc 
  lineinfile:
     state: present
     dest: '{{ pamd_auth_file_ub }}'
     regexp: '^{{ item.search }}'
     insertafter: 'auth [success=1 default=ignore] pam_unix.so nullok'
     line: '{{ item.replace }}'
  with_items:
      - { search: 'auth [default=die] pam_faillock.so authfail}}', replace: 'auth [default=die] pam_faillock.so authfail audit deny={{ number_of_login_try_before_block }} unlock_time={{ unlock_time }} fail_interval={{ fail_interval }}' }
      - { search: 'auth sufficient pam_faillock.so authsucc', replace: 'auth sufficient pam_faillock.so authsucc audit deny={{ number_of_login_try_before_block }} unlock_time={{ unlock_time }} fail_interval={{ fail_interval }}' }
---

- name: Number of tries during loging account
  lineinfile:
     state: present
     dest: '{{ pamd_account_file_ub }}'
     regexp: '^{{ item.search }}'
     line: '{{ item.replace }}'
  with_items:
      - { search: 'account required pam_faillock.so', replace: 'account required pam_faillock.so' }

- name: Number of tries during loging auth preauth
  community.general.pamd:
    name: common-auth
    type: auth
    control: '[success=1 default=ignore]'
    module_path: pam_unix.so
    new_type: auth
    new_control: required
    new_module_path: pam_faillock.so
    module_arguments:
     - 'preauth'
     - 'audit'
     - 'silent'
     - 'deny={{ number_of_login_try_before_block }}'
     - 'unlock_time={{ unlock_time }}'
     - 'fail_interval={{ fail_interval }}'
    state: before

- name: Number of tries during loging auth authfail
  community.general.pamd:
    name: common-auth
    type: auth
    control: requisite
    module_path: pam_deny.so
    new_type: auth
    new_control: sufficient
    new_module_path: pam_faillock.so
    state: before

- name: Number of tries during loging auth authsucc
  community.general.pamd:
    name: common-auth
    type: auth
    control: '[success=1 default=ignore]'
    module_path: pam_unix.so
    new_type: auth
    new_control: '[default=die]'
    new_module_path: pam_faillock.so
    state: after

我可以将文件从本地计算机复制到目标服务器,但这样可能会意外删除一些现有配置行。
总结我的问题。

    • 如何确保配置参数存在于文件中(如果未添加,则进行更改),并在一个ssh连接中发送它们?**

任何答案都将是有益的和感激的,并提前感谢您的指导

jgwigjjp

jgwigjjp1#

所以,我找到了解决办法。
您可以将一个blockinfile模块与insertbeforeinsertafter一起使用
如果您的pam.d配置行不能放在一个块中,您需要找到编辑pam.d文件的方法,而无需中断登录
对于我们的情况,在pam_unix.so模块之前是auth required pam_faillock.so preauth,然后是blockinfile,模块如下

auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

它被插在pam_deny.so模块之前

相关问题