我遇到了一个问题,正在寻求帮助。我需要用ansible在多次登录失败后锁定用户。为了做到这一点,我需要更改ubuntu 22上的两个文件"公共帐户">和的"公共身份"> 只需在"公共账户">中添加1行即可: "公共身份">中的3行 但是当我需要用ansible实现自动化时,我遇到了一个问题失败=>{"msg":"sudo密码不正确"}发生这种情况是因为ansible在一次ssh连接期间只更改了一行。在这之后;auth〔default=die〕pam_faillock.so authfail"行被添加,我在上面有一个错误。 我已经尝试了几种方法,使用不同的ansible模块(pamd、lineinfile、assembly、loop、with_item(,但问题仍然存在。你可以在下面找到我的两种方法的代码。第一个是with_item,第二个是pamd。account required pam_faillock.so
# existed comment lines in file
auth required pam_faillock.so preauth audit deny=3 unlock_time=120 fail_interval=60
# existed comment lines in file
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=120 fail_interval=60
auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=120 fail_interval=60
#another existed config parameters in file
---
- name: Number of tries during loging account
lineinfile:
state: present
dest: '{{ pamd_account_file_ub }}'
regexp: '^{{ item.search }}'
line: '{{ item.replace }}'
with_items:
- { search: 'account required pam_faillock.so', replace: 'account required pam_faillock.so' }
- name: Number of tries during loging auth preauth
community.general.pamd:
name: common-auth
type: auth
control: '[success=1 default=ignore]'
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments:
- 'preauth'
- 'audit'
- 'silent'
- 'deny={{ number_of_login_try_before_block }}'
- 'unlock_time={{ unlock_time }}'
- 'fail_interval={{ fail_interval }}'
state: before
- name: Number of tries during loging auth authfail authsucc
lineinfile:
state: present
dest: '{{ pamd_auth_file_ub }}'
regexp: '^{{ item.search }}'
insertafter: 'auth [success=1 default=ignore] pam_unix.so nullok'
line: '{{ item.replace }}'
with_items:
- { search: 'auth [default=die] pam_faillock.so authfail}}', replace: 'auth [default=die] pam_faillock.so authfail audit deny={{ number_of_login_try_before_block }} unlock_time={{ unlock_time }} fail_interval={{ fail_interval }}' }
- { search: 'auth sufficient pam_faillock.so authsucc', replace: 'auth sufficient pam_faillock.so authsucc audit deny={{ number_of_login_try_before_block }} unlock_time={{ unlock_time }} fail_interval={{ fail_interval }}' }
---
- name: Number of tries during loging account
lineinfile:
state: present
dest: '{{ pamd_account_file_ub }}'
regexp: '^{{ item.search }}'
line: '{{ item.replace }}'
with_items:
- { search: 'account required pam_faillock.so', replace: 'account required pam_faillock.so' }
- name: Number of tries during loging auth preauth
community.general.pamd:
name: common-auth
type: auth
control: '[success=1 default=ignore]'
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments:
- 'preauth'
- 'audit'
- 'silent'
- 'deny={{ number_of_login_try_before_block }}'
- 'unlock_time={{ unlock_time }}'
- 'fail_interval={{ fail_interval }}'
state: before
- name: Number of tries during loging auth authfail
community.general.pamd:
name: common-auth
type: auth
control: requisite
module_path: pam_deny.so
new_type: auth
new_control: sufficient
new_module_path: pam_faillock.so
state: before
- name: Number of tries during loging auth authsucc
community.general.pamd:
name: common-auth
type: auth
control: '[success=1 default=ignore]'
module_path: pam_unix.so
new_type: auth
new_control: '[default=die]'
new_module_path: pam_faillock.so
state: after我可以将文件从本地机器复制到目标服务器,但这样我可能会意外地删除一些现有的配置行。
总结我的问题。
如何确保配置参数存在于文件中(如果没有添加,如果是更改(,并在一个ssh连接中发送它们
任何答案都将是有帮助和感谢的,并感谢您在之前的指导
所以,我找到了解决方案。
您可以使用带insertbefore和insertafter的易失性blockinfile模块
如果你的pam.d配置行不能放在一个块中,你需要找到我们的方法来编辑pam.d文件,并使用突破性的登录
对于我们的情况,在pam_unix.so模块之前是auth required pam_faillock.so preauth,然后是具有低于的模块的blockinfile
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
它被插入pam_deny.so模块之前