我遇到了一个问题,我需要帮助。我需要锁定用户后,多次登录失败与ansible。为了做到这一点,我需要改变2个文件在我的ubuntu 22**'公共帐户'和'公共身份'。当我做在手动,一切工作正常。
只需在"公共帐户"**中添加1行:
account required pam_faillock.so和**'公用身份验证'**中的3行
# existed comment lines in file
auth required pam_faillock.so preauth audit deny=3 unlock_time=120 fail_interval=60
# existed comment lines in file
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=120 fail_interval=60
auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=120 fail_interval=60
#another existed config parameters in file但是当我需要用ansible自动化时,我遇到了一个问题。**失败!=〉{" msg ":"sudo密码不正确"}这是因为ansible在一个ssh连接期间只更改了'common-auth'**一行。并且,在添加了" auth [default = die] pam_faillock.so authfail ..."行之后,我得到了上面的错误。
我已经尝试了几种方法,使用不同的ansible模块(pamd,lineinfile,assemble,loop,with_item),但是问题仍然存在。你可以在下面找到我的两种方法的代码。第一种是with_item,第二种是pamd。
---
- name: Number of tries during loging account
lineinfile:
state: present
dest: '{{ pamd_account_file_ub }}'
regexp: '^{{ item.search }}'
line: '{{ item.replace }}'
with_items:
- { search: 'account required pam_faillock.so', replace: 'account required pam_faillock.so' }
- name: Number of tries during loging auth preauth
community.general.pamd:
name: common-auth
type: auth
control: '[success=1 default=ignore]'
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments:
- 'preauth'
- 'audit'
- 'silent'
- 'deny={{ number_of_login_try_before_block }}'
- 'unlock_time={{ unlock_time }}'
- 'fail_interval={{ fail_interval }}'
state: before
- name: Number of tries during loging auth authfail authsucc
lineinfile:
state: present
dest: '{{ pamd_auth_file_ub }}'
regexp: '^{{ item.search }}'
insertafter: 'auth [success=1 default=ignore] pam_unix.so nullok'
line: '{{ item.replace }}'
with_items:
- { search: 'auth [default=die] pam_faillock.so authfail}}', replace: 'auth [default=die] pam_faillock.so authfail audit deny={{ number_of_login_try_before_block }} unlock_time={{ unlock_time }} fail_interval={{ fail_interval }}' }
- { search: 'auth sufficient pam_faillock.so authsucc', replace: 'auth sufficient pam_faillock.so authsucc audit deny={{ number_of_login_try_before_block }} unlock_time={{ unlock_time }} fail_interval={{ fail_interval }}' }---
- name: Number of tries during loging account
lineinfile:
state: present
dest: '{{ pamd_account_file_ub }}'
regexp: '^{{ item.search }}'
line: '{{ item.replace }}'
with_items:
- { search: 'account required pam_faillock.so', replace: 'account required pam_faillock.so' }
- name: Number of tries during loging auth preauth
community.general.pamd:
name: common-auth
type: auth
control: '[success=1 default=ignore]'
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments:
- 'preauth'
- 'audit'
- 'silent'
- 'deny={{ number_of_login_try_before_block }}'
- 'unlock_time={{ unlock_time }}'
- 'fail_interval={{ fail_interval }}'
state: before
- name: Number of tries during loging auth authfail
community.general.pamd:
name: common-auth
type: auth
control: requisite
module_path: pam_deny.so
new_type: auth
new_control: sufficient
new_module_path: pam_faillock.so
state: before
- name: Number of tries during loging auth authsucc
community.general.pamd:
name: common-auth
type: auth
control: '[success=1 default=ignore]'
module_path: pam_unix.so
new_type: auth
new_control: '[default=die]'
new_module_path: pam_faillock.so
state: after我可以将文件从本地计算机复制到目标服务器,但这样可能会意外删除一些现有配置行。
总结我的问题。
- 如何确保配置参数存在于文件中(如果未添加,则进行更改),并在一个ssh连接中发送它们?**
任何答案都将是有益的和感激的,并提前感谢您的指导
1条答案
按热度按时间jgwigjjp1#
所以,我找到了解决办法。
您可以将一个
blockinfile模块与insertbefore和insertafter一起使用如果您的pam.d配置行不能放在一个块中,您需要找到编辑pam.d文件的方法,而无需中断登录
对于我们的情况,在
pam_unix.so模块之前是auth required pam_faillock.so preauth,然后是blockinfile,模块如下它被插在
pam_deny.so模块之前