with_nested failing, not sure why
113 views
Skip to first unread message
John Oliver
Aug 4, 2014, 12:18:28 PM8/4/14
to ansible...@googlegroups.com
This task:
- name: Lock accounts after 3 unsuccessful logon attempts
lineinfile: dest=/etc/pam.d/{{ item[0] }}-auth-ac
regexp='^auth.*pam_faillock\.so\ auth.*\ deny=3\ unlock_time=604800\ fail_interval=900'
insertafter='^auth.*pam_unix\.so.*'
line={{ item[1] }}
with_nested:
- [ 'system', 'password' ]
- [ 'auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900', 'auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900' ]
gives me:
TASK: [Lock accounts after 3 unsuccessful logon attempts] *********************
failed: [jedisbuild] => (item=['system', 'auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900']) => {"failed": true, "item": ["system", "auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments (['dest=/etc/pam.d/system-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\ auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900', 'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', '[default=die]', 'pam_faillock.so', 'authfail', 'deny=3', 'unlock_time=604800', 'fail_interval=900'])
failed: [jedisbuild] => (item=['system', 'auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900']) => {"failed": true, "item": ["system", "auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments (['dest=/etc/pam.d/system-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\ auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900', 'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', 'required', 'pam_faillock.so', 'authsucc', 'deny=3', 'unlock_time=604800', 'fail_interval=900'])
failed: [jedisbuild] => (item=['password', 'auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900']) => {"failed": true, "item": ["password", "auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments (['dest=/etc/pam.d/password-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\ auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900', 'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', '[default=die]', 'pam_faillock.so', 'authfail', 'deny=3', 'unlock_time=604800', 'fail_interval=900'])
failed: [jedisbuild] => (item=['password', 'auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900']) => {"failed": true, "item": ["password", "auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments (['dest=/etc/pam.d/password-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\ auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900', 'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', 'required', 'pam_faillock.so', 'authsucc', 'deny=3', 'unlock_time=604800', 'fail_interval=900'])
Target files:
[joliver@build ~]$ sudo cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
[joliver@build ~]$ sudo cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
Mike Ray
Aug 4, 2014, 12:30:15 PM8/4/14
to ansible...@googlegroups.com
I can't say as I'm familiar with the nested construction, but at least part of the problem is given to you:
msg: this module requires key=value arguments (['dest=/etc/pam.d/system-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\ auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900', 'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', '[default=die]', 'pam_faillock.so', 'authfail', 'deny=3', 'unlock_time=604800', 'fail_interval=900'])
The module is splitting your input on the spaces, which is what the information in the parenthesis state. So you end up with 'dest=/etc/pam.d/system-auth-ac' and then a whole bunch of other junk.
I can't recall for sure, but using double-quotes may resolve this (e.g. "this is your input now").
Michael DeHaan
Aug 4, 2014, 1:22:44 PM8/4/14
to ansible...@googlegroups.com
For starters,
ansible --version ?
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/834510e9-5862-43b8-91a1-2b7a0efadc52%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
John Oliver
Aug 4, 2014, 2:03:12 PM8/4/14
to ansible...@googlegroups.com
1.6.6
Michael DeHaan
Aug 4, 2014, 4:17:15 PM8/4/14
to ansible...@googlegroups.com
Ok, so the various security fixes in the 1.6.X series were largely patched out by 1.6.10, and are even better on the development branch, where we are finishing up some minor things getting ready for a release.
Please check and see if this is an issue in 1.6.10, and my expectation is there's a good chance you'll be good to go :)
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3d6eda8c-ac20-4cd3-88a1-9b2e652c0d44%40googlegroups.com.
John Oliver
Aug 4, 2014, 6:41:06 PM8/4/14
to ansible...@googlegroups.com
Thanks. I've asked the maintainer of that port at MacPorts to update, or if I can help maintain it.
Michael DeHaan
Aug 5, 2014, 12:20:05 PM8/5/14
to ansible...@googlegroups.com
Great, thanks!
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3acb23b0-5f27-4d6f-a954-900c87554e5c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages