Shadow Utils

============

This tool helps manage the shadow utilities package for handling user and group accounts on systems.

While best security practices are used in the default settings, it's always important to double-check as this does not guarantee security.

Requirements

• Ansible 2.8 or higher

Supported Operating Systems

• Debian 10
• CentOS 8

Role Variables

Here are some configuration options available in YAML format:

# User creation settings
shadow_utils_shell: "{{ shadow_utils__shell }}"  # default shell for new users
shadow_utils_group: 100  # default group ID for users
shadow_utils_inactive: 60  # days after password expiry until account is disabled
shadow_utils_expire: null  # default expiration date for accounts
shadow_utils_home: "/home"  # default home directory
shadow_utils_skel: "/etc/skel"  # template for new user home directories
shadow_utils_create_mail_spool: false  # create mail spool for new users by default

# Login settings
shadow_utils_mail_dir: "{{ shadow_utils__mail_dir }}"  # directory for user mail records
shadow_utils_mail_file: null  # file location for user mail files
shadow_utils_faillog_enab: true  # enable logging of failed login attempts
shadow_utils_log_unkfail_enab: true  # log unknown usernames on failed logins
shadow_utils_log_ok_logins: false  # log successful logins
shadow_utils_syslog_su_enab: true  # enable syslog for su activity
shadow_utils_syslog_sg_enab: true  # enable syslog for sg activity
shadow_utils_sulog_file: '/var/log/su.log'  # file for logging su activity
shadow_utils_ftmp_file: '/var/log/btmp'  # file for tracking bad login attempts

# User environment settings
shadow_utils_ttytype_file: null  # file for terminal type mapping
shadow_utils_su_name: 'su'  # name displayed for the su command
shadow_utils_hushlogin_file: '.hushlogin'  # file to suppress login messages
shadow_utils_env_supath:  # PATH for superusers
    - '/usr/local/sbin'
    - '/usr/local/bin'
    - '/usr/sbin'
    - '/usr/bin'
    - '/sbin'
    - '/bin'
shadow_utils_env_path:  # PATH for regular users
    - '/usr/local/bin'
    - '/usr/bin'
    - '/bin'
    - '/usr/local/games'
    - '/usr/games'
shadow_utils_ttygroup: 'tty'  # group for terminal permissions
shadow_utils_ttyperm: '0600'  # terminal permissions settings
shadow_utils_erasechar: '0177'  # backspace character setting
shadow_utils_killchar: '025'  # kill character setting
shadow_utils_umask: '077'  # default file creation permissions
shadow_utils_pass_max_days: 366  # maximum days for password usage
shadow_utils_pass_min_days: 1  # minimum days between password changes
shadow_utils_pass_warn_age: 31  # days before password expiry to warn user

# User and group ID ranges
shadow_utils_uid_min: 1000  # minimum user ID for regular users
shadow_utils_uid_max: 60000  # maximum user ID for regular users
shadow_utils_sys_uid_min: 201  # minimum user ID for system users
shadow_utils_sys_uid_max: 999  # maximum user ID for system users
shadow_utils_gid_min: 1000  # minimum group ID for regular groups
shadow_utils_gid_max: 60000  # maximum group ID for regular groups
shadow_utils_sys_gid_min: 201  # minimum group ID for system groups
shadow_utils_sys_gid_max: 999  # maximum group ID for system groups

# Login limits
shadow_utils_login_retries: 5  # maximum login attempts before lockout
shadow_utils_login_timeout: 60  # maximum time in seconds for login

# User settings
shadow_utils_chfn_restrict: 'rwh'  # fields users can change with chfn
shadow_utils_default_home: false  # allow login if home directory cannot be accessed
shadow_utils_create_home: true  # create home directory by default
shadow_utils_userdel_cmd: null  # command to run when deleting a user
shadow_utils_usergroups_enab: true  # create group for new users, remove if empty
shadow_utils_encrypt_method: 'SHA512'  # default password encryption method

Dependencies

None

Example Playbook

Here's a simple example for using this tool:

- hosts: servers
  tasks:
    - name: "Include shadow_utils"
      include_role:
        name: "shadow_utils"

License

LGPLv3

Author Information

• Robert Brightling | GitLab | GitHub