From 512ec039a5b0883f566c4edbd053740ec7dfce2b Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sun, 17 May 2026 15:42:34 +0300 Subject: [PATCH 1/3] use default pwquality_path: /etc/security/pwquality.conf --- product_properties/10-pwquality-conf.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/product_properties/10-pwquality-conf.yml b/product_properties/10-pwquality-conf.yml index 8a991951eb7b..1cda98ab41e9 100644 --- a/product_properties/10-pwquality-conf.yml +++ b/product_properties/10-pwquality-conf.yml @@ -1,7 +1,2 @@ default: pwquality_path: "/etc/security/pwquality.conf" - -overrides: -{{% if product == 'sle16' %}} - pwquality_path: "/usr/lib/security/pwquality.conf" -{{% endif %}} From d52fcc621de518d461d5931ae271a0dbe9eed77a Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sun, 17 May 2026 15:43:01 +0300 Subject: [PATCH 2/3] bash/ansible now copy distro defaults from /usr/lib/security/pwquality.conf to /etc/security/pwquality.conf --- shared/templates/accounts_password/ansible.template | 4 ++++ shared/templates/accounts_password/bash.template | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/shared/templates/accounts_password/ansible.template b/shared/templates/accounts_password/ansible.template index 739665e949c9..40c3df009c01 100644 --- a/shared/templates/accounts_password/ansible.template +++ b/shared/templates/accounts_password/ansible.template @@ -43,6 +43,10 @@ {{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF', rule_id=rule_id, rule_title=rule_title) }}} {{% endif %}} +{{% if product == 'sle16' %}} +{{{ ansible_copy_distro_defaults('/usr/lib/security/pwquality.conf', pwquality_path, rule_title=rule_title) }}} +{{% endif %}} + - name: {{{ rule_title }}} - Ensure PAM variable {{{ VARIABLE }}} is set accordingly ansible.builtin.lineinfile: create: yes diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template index 75420036ed1d..4eb0abaaa98e 100644 --- a/shared/templates/accounts_password/bash.template +++ b/shared/templates/accounts_password/bash.template @@ -35,4 +35,8 @@ fi {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF') }}} {{% endif %}} +{{% if product == 'sle16' %}} +{{{ bash_copy_distro_defaults('/usr/lib/security/pwquality.conf', pwquality_path) }}} +{{% endif %}} + {{{ bash_replace_or_append(pwquality_path, '^' ~ VARIABLE , '$var_password_pam_' ~ VARIABLE , '%s = %s', cce_identifiers=cce_identifiers) }}} From 0a01e3de6c79349955b91aec5db75e1e6cb4c262 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sun, 17 May 2026 15:43:51 +0300 Subject: [PATCH 3/3] Implement same behaviour as in accounts_password template --- .../accounts_password_pam_retry/ansible/shared.yml | 4 ++++ .../accounts_password_pam_retry/bash/shared.sh | 4 ++++ .../tests/pwquality_conf_correct.pass.sh | 11 ++++++++--- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml index e95e96d9e49f..0ec1a6db3f67 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml @@ -13,6 +13,10 @@ {{{ ansible_instantiate_variables("var_password_pam_retry") }}} +{{% if product == 'sle16' %}} +{{{ ansible_copy_distro_defaults('/usr/lib/security/pwquality.conf', pwquality_path, rule_title=rule_title) }}} +{{% endif %}} + {{% if product in ['rhel8', 'rhel9', 'almalinux', 'sle15', 'sle16'] -%}} - name: Ensure PAM variable retry is set accordingly ansible.builtin.lineinfile: diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh index 038b92cbe0d9..246a0a1a4ef9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh @@ -11,6 +11,10 @@ {{{ bash_instantiate_variables("var_password_pam_retry") }}} +{{% if product == 'sle16' %}} +{{{ bash_copy_distro_defaults('/usr/lib/security/pwquality.conf', pwquality_path) }}} +{{% endif %}} + {{% if 'rhel' in product or product in ['sle15', 'sle16'] -%}} {{{ bash_replace_or_append(pwquality_path, '^retry', diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh index dba54f3dc80a..5b8cf70934ff 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh @@ -1,7 +1,11 @@ #!/bin/bash -# packages = authselect -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_sle # variables = var_password_pam_retry=3 +{{% if product in ['sle15', 'sle16'] %}} +# packages = libpwquality1 +{{% else %}} +# packages = authselect +{{% endif %}} source common.sh @@ -13,10 +17,11 @@ if grep -q "^.*retry\s*=" "$CONF_FILE"; then else echo "retry = $retry_cnt" >> "$CONF_FILE" fi - +{{% if product not in ['sle15', 'sle16'] %}} for file in ${configuration_files[@]}; do echo "password required pam_pwquality.so" >> \ "/etc/authselect/custom/testingProfile/$file" done authselect apply-changes +{{% endif %}}