Describe the bug
The parameter os_auth_pw_remember has no effect on Ubuntu/Debian as far as I can tell, but this is not documented anywhere.
Expected behavior
os_auth_pw_remember should control how many old passwords are recorded and should prevent re-use of these passwords on all supported operating systems. This setting is required for compliance with various standards.
Actual behavior
Nothing happens.
Example Playbook
- hosts: all
collections:
- devsec.hardening
roles:
- devsec.hardening.os_hardening
- devsec.hardening.ssh_hardening
vars:
os_auth_pw_max_age: 90
os_auth_pw_min_age: 7
os_auth_pw_warn_age: 28 # This is a parameter I added to my fork
os_auth_retries: 5
os_auth_lockout_time: 1800
os_auth_pw_remember: 10
os_auth_pam_sssd_enable: false
os_auth_pam_passwdqc_enable: true
os_auth_pam_passwdqc_options: 'min=disabled,disabled,disabled,16,15 max=255' # Ubuntu
os_auth_pam_pwquality_options: 'min=disabled,disabled,disabled,16,15 max=255' # RHEL
os_auth_timeout: 60
sftp_enabled: true
ssh_permit_tunnel: true
ssh_allow_tcp_forwarding: 'yes'
ssh_allow_agent_forwarding: true
ssh_client_alive_interval: 300
ssh_print_debian_banner: false
ssh_print_motd: false
ssh_print_pam_motd: true
ssh_print_last_log: true
Describe the bug The parameter os_auth_pw_remember has no effect on Ubuntu/Debian as far as I can tell, but this is not documented anywhere.
Expected behavior os_auth_pw_remember should control how many old passwords are recorded and should prevent re-use of these passwords on all supported operating systems. This setting is required for compliance with various standards.
Actual behavior
Example Playbook
OS / Environment
Ubuntu 20.04.4 LTS
Ansible Version
Role Version
Additional context Preventing password re-use is required for compliance with various standards, e.g. PCI DSS v3.2.1.