arizvisa/vcenter-authentication-policies.patch

## vcenter-authentication-policies.patch
--- /dev/null	2023-02-27 00:26:22.135999836 +0000
+++ /etc/pam.d/system-account-	2022-11-08 08:17:09.000000000 +0000
@@ -0,0 +1,7 @@
+# Begin /etc/pam.d/system-account
+# Updated by Ansible - 2022-11-08T08:17:09.196506
+
+account    required pam_unix.so
+account    required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+
+# End /etc/pam.d/system-account
--- /etc/pam.d/system-account-	2022-11-08 08:17:09.000000000 +0000
+++ /etc/pam.d/system-account	2023-02-27 00:35:42.007980067 +0000
@@ -2,6 +2,7 @@
 # Updated by Ansible - 2022-11-08T08:17:09.196506

 account    required pam_unix.so
-account    required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+#account    required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+account    required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60

 # End /etc/pam.d/system-account
--- /dev/null	2023-02-27 00:26:22.135999836 +0000
+++ /etc/pam.d/system-password-	2023-02-26 22:16:52.908079276 +0000
@@ -0,0 +1,8 @@
+# Begin /etc/pam.d/system-password
+
+# use sha512 hash for encryption, use shadow, and try to use any previously
+# defined authentication token (chosen password) set by any prior module
+password  requisite   pam_cracklib.so   dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
+password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=5
+password  required    pam_unix.so       sha512 use_authtok shadow try_first_pass
+# End /etc/pam.d/system-password
--- /etc/pam.d/system-password-	2023-02-26 22:16:52.908079276 +0000
+++ /etc/pam.d/system-password	2023-02-27 00:35:42.007980067 +0000
@@ -2,7 +2,9 @@

 # use sha512 hash for encryption, use shadow, and try to use any previously
 # defined authentication token (chosen password) set by any prior module
-password  requisite   pam_cracklib.so   dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
-password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=5
+#password  requisite   pam_cracklib.so   dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
+password  requisite   pam_cracklib.so   dcredit=0 ucredit=0 lcredit=0 ocredit=0 minlen=4 difok=1 enforce_for_root
+#password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=5
+password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=1
 password  required    pam_unix.so       sha512 use_authtok shadow try_first_pass
 # End /etc/pam.d/system-password
--- /dev/null	2023-02-27 00:26:22.135999836 +0000
+++ /etc/pam.d/system-auth-	2022-11-08 08:17:34.000000000 +0000
@@ -0,0 +1,8 @@
+# Begin /etc/pam.d/system-auth
+# Updated by Ansible - 2022-11-08T08:17:34.028917
+
+auth       required pam_unix.so
+auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+auth       optional pam_faildelay.so delay=4000000
+
+# End /etc/pam.d/system-auth
--- /etc/pam.d/system-auth-	2022-11-08 08:17:34.000000000 +0000
+++ /etc/pam.d/system-auth	2023-02-27 00:35:42.007980067 +0000
@@ -2,7 +2,8 @@
 # Updated by Ansible - 2022-11-08T08:17:34.028917

 auth       required pam_unix.so
-auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+#auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
+auth       required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60
 auth       optional pam_faildelay.so delay=4000000

 # End /etc/pam.d/system-auth
--- /dev/null	2023-02-27 00:26:22.135999836 +0000
+++ /etc/ssh/sshd_config-	2023-02-26 22:08:27.847933744 +0000
@@ -0,0 +1,141 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+MaxAuthTries 2
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+TCPKeepAlive no
+#PermitUserEnvironment no
+Compression no
+#ClientAliveInterval 0
+ClientAliveCountMax 0
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+FipsMode yes
+
+# no default banner path
+Banner /etc/issue
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+SyslogFacility AUTHPRIV
+LogLevel INFO
+FipsMode yes
+GSSAPIAuthentication no
+PermitUserEnvironment no
+X11Forwarding no
+StrictModes yes
+KerberosAuthentication no
+PermitEmptyPasswords no
+PrintLastLog yes
+IgnoreRhosts yes
+IgnoreUserKnownHosts yes
+HostbasedAuthentication no
+LoginGraceTime 30
+
+KexAlgorithms	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+
+HostKeyAlgorithms	ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+MACs	hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+
+Ciphers	aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
--- /etc/ssh/sshd_config-	2023-02-26 22:08:27.847933744 +0000
+++ /etc/ssh/sshd_config	2023-02-27 00:35:42.007980067 +0000
@@ -32,7 +32,7 @@
 #LoginGraceTime 2m
 PermitRootLogin yes
 #StrictModes yes
-MaxAuthTries 2
+#MaxAuthTries 2
 #MaxSessions 10

 #PubkeyAuthentication yes
--- /dev/null	2023-02-27 00:26:22.135999836 +0000
+++ /etc/profile.d/tmout.sh-	2022-11-08 08:17:09.000000000 +0000
@@ -0,0 +1,4 @@
+TMOUT=900
+readonly TMOUT
+export TMOUT
+mesg n 2>/dev/null
\ No newline at end of file
--- /etc/profile.d/tmout.sh-	2022-11-08 08:17:09.000000000 +0000
+++ /etc/profile.d/tmout.sh	2023-02-27 00:35:42.007980067 +0000
@@ -1,4 +0,0 @@
-TMOUT=900
-readonly TMOUT
-export TMOUT
-mesg n 2>/dev/null
\ No newline at end of file

## vcsa-deploy.sh
#!/bin/sh
VMware-VCSA-all-*.iso/vcsa-cli-installer/lin64/vcsa-deploy install --no-esx-ssl-verify --no-ssl-certificate-verification --accept-eula --accept-eula ~0/*.json
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/pam.d/system-account- 2022-11-08 08:17:09.000000000 +0000
	@@ -0,0 +1,7 @@
	+# Begin /etc/pam.d/system-account
	+# Updated by Ansible - 2022-11-08T08:17:09.196506
	+
	+account required pam_unix.so
	+account required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+
	+# End /etc/pam.d/system-account
	--- /etc/pam.d/system-account- 2022-11-08 08:17:09.000000000 +0000
	+++ /etc/pam.d/system-account 2023-02-27 00:35:42.007980067 +0000
	@@ -2,6 +2,7 @@
	# Updated by Ansible - 2022-11-08T08:17:09.196506

	account required pam_unix.so
	-account required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+#account required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+account required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60

	# End /etc/pam.d/system-account
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/pam.d/system-password- 2023-02-26 22:16:52.908079276 +0000
	@@ -0,0 +1,8 @@
	+# Begin /etc/pam.d/system-password
	+
	+# use sha512 hash for encryption, use shadow, and try to use any previously
	+# defined authentication token (chosen password) set by any prior module
	+password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
	+password required pam_pwhistory.so debug use_authtok enforce_for_root remember=5
	+password required pam_unix.so sha512 use_authtok shadow try_first_pass
	+# End /etc/pam.d/system-password
	--- /etc/pam.d/system-password- 2023-02-26 22:16:52.908079276 +0000
	+++ /etc/pam.d/system-password 2023-02-27 00:35:42.007980067 +0000
	@@ -2,7 +2,9 @@

	# use sha512 hash for encryption, use shadow, and try to use any previously
	# defined authentication token (chosen password) set by any prior module
	-password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
	-password required pam_pwhistory.so debug use_authtok enforce_for_root remember=5
	+#password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
	+password requisite pam_cracklib.so dcredit=0 ucredit=0 lcredit=0 ocredit=0 minlen=4 difok=1 enforce_for_root
	+#password required pam_pwhistory.so debug use_authtok enforce_for_root remember=5
	+password required pam_pwhistory.so debug use_authtok enforce_for_root remember=1
	password required pam_unix.so sha512 use_authtok shadow try_first_pass
	# End /etc/pam.d/system-password
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/pam.d/system-auth- 2022-11-08 08:17:34.000000000 +0000
	@@ -0,0 +1,8 @@
	+# Begin /etc/pam.d/system-auth
	+# Updated by Ansible - 2022-11-08T08:17:34.028917
	+
	+auth required pam_unix.so
	+auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+auth optional pam_faildelay.so delay=4000000
	+
	+# End /etc/pam.d/system-auth
	--- /etc/pam.d/system-auth- 2022-11-08 08:17:34.000000000 +0000
	+++ /etc/pam.d/system-auth 2023-02-27 00:35:42.007980067 +0000
	@@ -2,7 +2,8 @@
	# Updated by Ansible - 2022-11-08T08:17:34.028917

	auth required pam_unix.so
	-auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+#auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+auth required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60
	auth optional pam_faildelay.so delay=4000000

	# End /etc/pam.d/system-auth
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/ssh/sshd_config- 2023-02-26 22:08:27.847933744 +0000
	@@ -0,0 +1,141 @@
	+# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
	+
	+# This is the sshd server system-wide configuration file. See
	+# sshd_config(5) for more information.
	+
	+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
	+
	+# The strategy used for options in the default sshd_config shipped with
	+# OpenSSH is to specify options with their default value where
	+# possible, but leave them commented. Uncommented options override the
	+# default value.
	+
	+#Port 22
	+#AddressFamily any
	+#ListenAddress 0.0.0.0
	+#ListenAddress ::
	+
	+#HostKey /etc/ssh/ssh_host_rsa_key
	+#HostKey /etc/ssh/ssh_host_ecdsa_key
	+#HostKey /etc/ssh/ssh_host_ed25519_key
	+
	+# Ciphers and keying
	+#RekeyLimit default none
	+
	+# Logging
	+#SyslogFacility AUTH
	+SyslogFacility AUTHPRIV
	+#LogLevel INFO
	+
	+# Authentication:
	+
	+#LoginGraceTime 2m
	+PermitRootLogin yes
	+#StrictModes yes
	+MaxAuthTries 2
	+#MaxSessions 10
	+
	+#PubkeyAuthentication yes
	+
	+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
	+# but this is overridden so installations will only check .ssh/authorized_keys
	+AuthorizedKeysFile .ssh/authorized_keys
	+
	+#AuthorizedPrincipalsFile none
	+
	+#AuthorizedKeysCommand none
	+#AuthorizedKeysCommandUser nobody
	+
	+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
	+#HostbasedAuthentication no
	+# Change to yes if you don't trust ~/.ssh/known_hosts for
	+# HostbasedAuthentication
	+#IgnoreUserKnownHosts no
	+# Don't read the user's ~/.rhosts and ~/.shosts files
	+#IgnoreRhosts yes
	+
	+# To disable tunneled clear text passwords, change to no here!
	+#PasswordAuthentication yes
	+#PermitEmptyPasswords no
	+
	+# Change to no to disable s/key passwords
	+#ChallengeResponseAuthentication yes
	+
	+# Kerberos options
	+#KerberosAuthentication no
	+#KerberosOrLocalPasswd yes
	+#KerberosTicketCleanup yes
	+#KerberosGetAFSToken no
	+
	+# GSSAPI options
	+#GSSAPIAuthentication no
	+#GSSAPICleanupCredentials yes
	+
	+# Set this to 'yes' to enable PAM authentication, account processing,
	+# and session processing. If this is enabled, PAM authentication will
	+# be allowed through the ChallengeResponseAuthentication and
	+# PasswordAuthentication. Depending on your PAM configuration,
	+# PAM authentication via ChallengeResponseAuthentication may bypass
	+# the setting of "PermitRootLogin without-password".
	+# If you just want the PAM account and session checks to run without
	+# PAM authentication, then enable this but set PasswordAuthentication
	+# and ChallengeResponseAuthentication to 'no'.
	+UsePAM yes
	+
	+AllowAgentForwarding no
	+AllowTcpForwarding no
	+#GatewayPorts no
	+#X11Forwarding no
	+#X11DisplayOffset 10
	+#X11UseLocalhost yes
	+#PermitTTY yes
	+#PrintMotd yes
	+#PrintLastLog yes
	+TCPKeepAlive no
	+#PermitUserEnvironment no
	+Compression no
	+#ClientAliveInterval 0
	+ClientAliveCountMax 0
	+#UseDNS no
	+#PidFile /var/run/sshd.pid
	+#MaxStartups 10:30:100
	+#PermitTunnel no
	+#ChrootDirectory none
	+#VersionAddendum none
	+
	+FipsMode yes
	+
	+# no default banner path
	+Banner /etc/issue
	+
	+# override default of no subsystems
	+Subsystem sftp /usr/libexec/sftp-server
	+
	+# Example of overriding settings on a per-user basis
	+#Match User anoncvs
	+# X11Forwarding no
	+# AllowTcpForwarding no
	+# PermitTTY no
	+# ForceCommand cvs server
	+SyslogFacility AUTHPRIV
	+LogLevel INFO
	+FipsMode yes
	+GSSAPIAuthentication no
	+PermitUserEnvironment no
	+X11Forwarding no
	+StrictModes yes
	+KerberosAuthentication no
	+PermitEmptyPasswords no
	+PrintLastLog yes
	+IgnoreRhosts yes
	+IgnoreUserKnownHosts yes
	+HostbasedAuthentication no
	+LoginGraceTime 30
	+
	+KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
	+
	+HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
	+
	+MACs hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
	+
	+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
	--- /etc/ssh/sshd_config- 2023-02-26 22:08:27.847933744 +0000
	+++ /etc/ssh/sshd_config 2023-02-27 00:35:42.007980067 +0000
	@@ -32,7 +32,7 @@
	#LoginGraceTime 2m
	PermitRootLogin yes
	#StrictModes yes
	-MaxAuthTries 2
	+#MaxAuthTries 2
	#MaxSessions 10

	#PubkeyAuthentication yes
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/profile.d/tmout.sh- 2022-11-08 08:17:09.000000000 +0000
	@@ -0,0 +1,4 @@
	+TMOUT=900
	+readonly TMOUT
	+export TMOUT
	+mesg n 2>/dev/null
	\ No newline at end of file
	--- /etc/profile.d/tmout.sh- 2022-11-08 08:17:09.000000000 +0000
	+++ /etc/profile.d/tmout.sh 2023-02-27 00:35:42.007980067 +0000
	@@ -1,4 +0,0 @@
	-TMOUT=900
	-readonly TMOUT
	-export TMOUT
	-mesg n 2>/dev/null
	\ No newline at end of file
	#!/bin/sh
	VMware-VCSA-all-.iso/vcsa-cli-installer/lin64/vcsa-deploy install --no-esx-ssl-verify --no-ssl-certificate-verification --accept-eula --accept-eula ~0/.json