Change from cracklib to passwdqc

andre-gonzalez · Sep 11, 2024 · fcbe5a7 · fcbe5a7
1 parent 2e4040b
commit fcbe5a7
Showing 1 changed file with 4 additions and 11 deletions.
diff --git a/roles/base/tasks/Security.yml b/roles/base/tasks/Security.yml
@@ -271,31 +271,24 @@
     create: true
   become: true
 
-- name: Security | Install cracklib package to check passwords
+- name: Security | Install libpam-passwdqc package to check passwords
   tags:
     - security
   ansible.builtin.package:
-    name: cracklib-runtime
+    name: libpam-passwdqc
   become: true
   when: ansible_distribution in ["Ubuntu", "Debian"]
 
-- name: Security | Install cracklib package to check passwords
-  tags:
-    - security
-  ansible.builtin.package:
-    name: cracklib
-  become: true
-  when: ansible_distribution == "Archlinux"
-
 - name: Security | Configure password strength testing
   tags:
     - security
   ansible.builtin.lineinfile:
     path: /etc/pam.d/common-password
-    line: password requisite pam_cracklib.so retry=3 minlen=12 difok=3
+    line: password requisite pam_passwdqc.so min=8,7,6,4,4 max=40 passphrase=3 similar=deny
     mode: "0644"
     create: true
   become: true
+  when: ansible_distribution in ["Ubuntu", "Debian"]
 
 - name: Security | Set maximum number of days a password can be used to 180
   tags: