This task:

• name: Lock accounts after 3 unsuccessful logon attempts
  lineinfile: dest=/etc/pam.d/{{ item[0] }}-auth-ac
  regexp=‘^auth.pam_faillock.so\ auth.\ deny=3\ unlock_time=604800\ fail_interval=900’
  insertafter=‘^auth.pam_unix.so.’
  line={{ item[1] }}
  with_nested:
• [ ‘system’, ‘password’ ]
• [ ‘auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900’, ‘auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900’ ]

gives me:

TASK: [Lock accounts after 3 unsuccessful logon attempts] *********************
failed: [jedisbuild] => (item=[‘system’, ‘auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900’]) => {“failed”: true, “item”: [“system”, “auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900”]}
msg: this module requires key=value arguments ([‘dest=/etc/pam.d/system-auth-ac’, ‘regexp=^auth.pam_faillock\.so\ auth.\ deny=3\ unlock_time=604800\ fail_interval=900’, ‘insertafter=^auth.pam_unix\.so.’, ‘line=auth’, ‘[default=die]’, ‘pam_faillock.so’, ‘authfail’, ‘deny=3’, ‘unlock_time=604800’, ‘fail_interval=900’])
failed: [jedisbuild] => (item=[‘system’, ‘auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900’]) => {“failed”: true, “item”: [“system”, “auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900”]}
msg: this module requires key=value arguments ([‘dest=/etc/pam.d/system-auth-ac’, ‘regexp=^auth.pam_faillock\.so\ auth.\ deny=3\ unlock_time=604800\ fail_interval=900’, ‘insertafter=^auth.pam_unix\.so.’, ‘line=auth’, ‘required’, ‘pam_faillock.so’, ‘authsucc’, ‘deny=3’, ‘unlock_time=604800’, ‘fail_interval=900’])
failed: [jedisbuild] => (item=[‘password’, ‘auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900’]) => {“failed”: true, “item”: [“password”, “auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900”]}
msg: this module requires key=value arguments ([‘dest=/etc/pam.d/password-auth-ac’, ‘regexp=^auth.pam_faillock\.so\ auth.\ deny=3\ unlock_time=604800\ fail_interval=900’, ‘insertafter=^auth.pam_unix\.so.’, ‘line=auth’, ‘[default=die]’, ‘pam_faillock.so’, ‘authfail’, ‘deny=3’, ‘unlock_time=604800’, ‘fail_interval=900’])
failed: [jedisbuild] => (item=[‘password’, ‘auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900’]) => {“failed”: true, “item”: [“password”, “auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900”]}
msg: this module requires key=value arguments ([‘dest=/etc/pam.d/password-auth-ac’, ‘regexp=^auth.pam_faillock\.so\ auth.\ deny=3\ unlock_time=604800\ fail_interval=900’, ‘insertafter=^auth.pam_unix\.so.’, ‘line=auth’, ‘required’, ‘pam_faillock.so’, ‘authsucc’, ‘deny=3’, ‘unlock_time=604800’, ‘fail_interval=900’])

Target files:

[joliver@build ~]$ sudo cat /etc/pam.d/system-auth-ac
#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
[joliver@build ~]$ sudo cat /etc/pam.d/password-auth-ac
#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

I can’t say as I’m familiar with the nested construction, but at least part of the problem is given to you:

msg: this module requires key=value arguments ([‘dest=/etc/pam.d/system-auth-ac’, ‘regexp=^auth.pam_faillock\.so\ auth.\ deny=3\ unlock_time=604800\ fail_interval=900’, ‘insertafter=^auth.pam_unix\.so.’, ‘line=auth’, ‘[default=die]’, ‘pam_faillock.so’, ‘authfail’, ‘deny=3’, ‘unlock_time=604800’, ‘fail_interval=900’])

The module is splitting your input on the spaces, which is what the information in the parenthesis state. So you end up with ‘dest=/etc/pam.d/system-auth-ac’ and then a whole bunch of other junk.

I can’t recall for sure, but using double-quotes may resolve this (e.g. “this is your input now”).

For starters,

ansible --version ?

1.6.6

Ok, so the various security fixes in the 1.6.X series were largely patched out by 1.6.10, and are even better on the development branch, where we are finishing up some minor things getting ready for a release.

Please check and see if this is an issue in 1.6.10, and my expectation is there’s a good chance you’ll be good to go

Thanks. I’ve asked the maintainer of that port at MacPorts to update, or if I can help maintain it.

Great, thanks!