6e761efc9c
Several tasks in the auth.yml file were actually more closely related to accounts rather than authentication. This patch moves tasks from the auth.yml into accounts.yml and adjusts the docs to match. This should alleviate confusion and allow deployers to fine-tune their Ansible playbook runs. Change-Id: I962014ba9022dd256dc04da6b4ac0860797fbc24
30 lines
962 B
ReStructuredText
30 lines
962 B
ReStructuredText
---
|
|
id: V-71913
|
|
status: opt-in
|
|
tag: accounts
|
|
---
|
|
|
|
The password quality requirements from the STIG are examples of good security
|
|
practice, but deployers are strongly encouraged to use centralized
|
|
authentication for administrative server access whenever possible.
|
|
|
|
Password quality requirements are controlled by two Ansible variables: one for
|
|
each individual password requirement and one "master switch" variable. The
|
|
master switch variable controls all password requirements and it is **disabled
|
|
by default**.
|
|
|
|
Deployers can enable all password quality requirements by setting the master
|
|
switch variable to ``yes``:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_pwquality_apply_rules: yes
|
|
|
|
When the master switch variable is enabled, each individual password quality
|
|
requirement can be disabled by a variable. To disable the fix for this STIG
|
|
control, set the following Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_pwquality_require_character_classes_changed: no
|