arizvisa · March 3, 2023 02:20
diff --git a/vcenter-authentication-policies.patch b/vcenter-authentication-policies.patch
 --- /dev/null	2023-02-27 00:26:22.135999836 +0000
 +++ /etc/pam.d/system-account-	2022-11-08 08:17:09.000000000 +0000
 @@ -0,0 +1,7 @@
 +# Begin /etc/pam.d/system-account
 +# Updated by Ansible - 2022-11-08T08:17:09.196506
 +
 +account    required pam_unix.so
 +account    required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
 +
 +# End /etc/pam.d/system-account
 --- /etc/pam.d/system-account-	2022-11-08 08:17:09.000000000 +0000
 +++ /etc/pam.d/system-account	2023-02-27 00:35:42.007980067 +0000
 @@ -2,6 +2,7 @@
 # Updated by Ansible - 2022-11-08T08:17:09.196506
 
 account    required pam_unix.so
 -account    required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
 +#account    required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
 +account    required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60
 
 # End /etc/pam.d/system-account
 --- /dev/null	2023-02-27 00:26:22.135999836 +0000
 +++ /etc/pam.d/system-password-	2023-02-26 22:16:52.908079276 +0000
 @@ -0,0 +1,8 @@
 +# Begin /etc/pam.d/system-password
 +
 +# use sha512 hash for encryption, use shadow, and try to use any previously
 +# defined authentication token (chosen password) set by any prior module
 +password  requisite   pam_cracklib.so   dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
 +password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=5
 +password  required    pam_unix.so       sha512 use_authtok shadow try_first_pass
 +# End /etc/pam.d/system-password
 --- /etc/pam.d/system-password-	2023-02-26 22:16:52.908079276 +0000
 +++ /etc/pam.d/system-password	2023-02-27 00:35:42.007980067 +0000
 @@ -2,7 +2,9 @@
 
 # use sha512 hash for encryption, use shadow, and try to use any previously
 # defined authentication token (chosen password) set by any prior module
 -password  requisite   pam_cracklib.so   dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
 -password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=5
 +#password  requisite   pam_cracklib.so   dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
 +password  requisite   pam_cracklib.so   dcredit=0 ucredit=0 lcredit=0 ocredit=0 minlen=4 difok=1 enforce_for_root
 +#password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=5
 +password  required    pam_pwhistory.so  debug use_authtok enforce_for_root remember=1
 password  required    pam_unix.so       sha512 use_authtok shadow try_first_pass
 # End /etc/pam.d/system-password
 --- /dev/null	2023-02-27 00:26:22.135999836 +0000
 +++ /etc/pam.d/system-auth-	2022-11-08 08:17:34.000000000 +0000
 @@ -0,0 +1,8 @@
 +# Begin /etc/pam.d/system-auth
 +# Updated by Ansible - 2022-11-08T08:17:34.028917
 +
 +auth       required pam_unix.so
 +auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
 +auth       optional pam_faildelay.so delay=4000000
 +
 +# End /etc/pam.d/system-auth
 --- /etc/pam.d/system-auth-	2022-11-08 08:17:34.000000000 +0000
 +++ /etc/pam.d/system-auth	2023-02-27 00:35:42.007980067 +0000
 @@ -2,7 +2,8 @@
 # Updated by Ansible - 2022-11-08T08:17:34.028917
 
 auth       required pam_unix.so
 -auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
 +#auth       required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
 +auth       required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60
 auth       optional pam_faildelay.so delay=4000000
 
 # End /etc/pam.d/system-auth
 --- /dev/null	2023-02-27 00:26:22.135999836 +0000
 +++ /etc/ssh/sshd_config-	2023-02-26 22:08:27.847933744 +0000
 @@ -0,0 +1,141 @@
 +#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 +
 +# This is the sshd server system-wide configuration file.  See
 +# sshd_config(5) for more information.
 +
 +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 +
 +# The strategy used for options in the default sshd_config shipped with
 +# OpenSSH is to specify options with their default value where
 +# possible, but leave them commented.  Uncommented options override the
 +# default value.
 +
 +#Port 22
 +#AddressFamily any
 +#ListenAddress 0.0.0.0
 +#ListenAddress ::
 +
 +#HostKey /etc/ssh/ssh_host_rsa_key
 +#HostKey /etc/ssh/ssh_host_ecdsa_key
 +#HostKey /etc/ssh/ssh_host_ed25519_key
 +
 +# Ciphers and keying
 +#RekeyLimit default none
 +
 +# Logging
 +#SyslogFacility AUTH
 +SyslogFacility AUTHPRIV
 +#LogLevel INFO
 +
 +# Authentication:
 +
 +#LoginGraceTime 2m
 +PermitRootLogin yes
 +#StrictModes yes
 +MaxAuthTries 2
 +#MaxSessions 10
 +
 +#PubkeyAuthentication yes
 +
 +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 +# but this is overridden so installations will only check .ssh/authorized_keys
 +AuthorizedKeysFile	.ssh/authorized_keys
 +
 +#AuthorizedPrincipalsFile none
 +
 +#AuthorizedKeysCommand none
 +#AuthorizedKeysCommandUser nobody
 +
 +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 +#HostbasedAuthentication no
 +# Change to yes if you don't trust ~/.ssh/known_hosts for
 +# HostbasedAuthentication
 +#IgnoreUserKnownHosts no
 +# Don't read the user's ~/.rhosts and ~/.shosts files
 +#IgnoreRhosts yes
 +
 +# To disable tunneled clear text passwords, change to no here!
 +#PasswordAuthentication yes
 +#PermitEmptyPasswords no
 +
 +# Change to no to disable s/key passwords
 +#ChallengeResponseAuthentication yes
 +
 +# Kerberos options
 +#KerberosAuthentication no
 +#KerberosOrLocalPasswd yes
 +#KerberosTicketCleanup yes
 +#KerberosGetAFSToken no
 +
 +# GSSAPI options
 +#GSSAPIAuthentication no
 +#GSSAPICleanupCredentials yes
 +
 +# Set this to 'yes' to enable PAM authentication, account processing,
 +# and session processing. If this is enabled, PAM authentication will
 +# be allowed through the ChallengeResponseAuthentication and
 +# PasswordAuthentication.  Depending on your PAM configuration,
 +# PAM authentication via ChallengeResponseAuthentication may bypass
 +# the setting of "PermitRootLogin without-password".
 +# If you just want the PAM account and session checks to run without
 +# PAM authentication, then enable this but set PasswordAuthentication
 +# and ChallengeResponseAuthentication to 'no'.
 +UsePAM yes
 +
 +AllowAgentForwarding no
 +AllowTcpForwarding no
 +#GatewayPorts no
 +#X11Forwarding no
 +#X11DisplayOffset 10
 +#X11UseLocalhost yes
 +#PermitTTY yes
 +#PrintMotd yes
 +#PrintLastLog yes
 +TCPKeepAlive no
 +#PermitUserEnvironment no
 +Compression no
 +#ClientAliveInterval 0
 +ClientAliveCountMax 0
 +#UseDNS no
 +#PidFile /var/run/sshd.pid
 +#MaxStartups 10:30:100
 +#PermitTunnel no
 +#ChrootDirectory none
 +#VersionAddendum none
 +
 +FipsMode yes
 +
 +# no default banner path
 +Banner /etc/issue
 +
 +# override default of no subsystems
 +Subsystem	sftp	/usr/libexec/sftp-server
 +
 +# Example of overriding settings on a per-user basis
 +#Match User anoncvs
 +#	X11Forwarding no
 +#	AllowTcpForwarding no
 +#	PermitTTY no
 +#	ForceCommand cvs server
 +SyslogFacility AUTHPRIV
 +LogLevel INFO
 +FipsMode yes
 +GSSAPIAuthentication no
 +PermitUserEnvironment no
 +X11Forwarding no
 +StrictModes yes
 +KerberosAuthentication no
 +PermitEmptyPasswords no
 +PrintLastLog yes
 +IgnoreRhosts yes
 +IgnoreUserKnownHosts yes
 +HostbasedAuthentication no
 +LoginGraceTime 30
 +
 +KexAlgorithms	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 +
 +HostKeyAlgorithms	[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
 +
 +MACs	hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
 +
 +Ciphers	aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
 --- /etc/ssh/sshd_config-	2023-02-26 22:08:27.847933744 +0000
 +++ /etc/ssh/sshd_config	2023-02-27 00:35:42.007980067 +0000
 @@ -32,7 +32,7 @@
 #LoginGraceTime 2m
 PermitRootLogin yes
 #StrictModes yes
 -MaxAuthTries 2
 +#MaxAuthTries 2
 #MaxSessions 10
 
 #PubkeyAuthentication yes
 --- /dev/null	2023-02-27 00:26:22.135999836 +0000
 +++ /etc/profile.d/tmout.sh-	2022-11-08 08:17:09.000000000 +0000
 @@ -0,0 +1,4 @@
 +TMOUT=900
 +readonly TMOUT 
 +export TMOUT
 +mesg n 2>/dev/null
 \ No newline at end of file
 --- /etc/profile.d/tmout.sh-	2022-11-08 08:17:09.000000000 +0000
 +++ /etc/profile.d/tmout.sh	2023-02-27 00:35:42.007980067 +0000
 @@ -1,4 +0,0 @@
 -TMOUT=900
 -readonly TMOUT 
 -export TMOUT
 -mesg n 2>/dev/null
 \ No newline at end of file
diff --git a/vcsa-deploy.sh b/vcsa-deploy.sh
 #!/bin/sh
 VMware-VCSA-all-*.iso/vcsa-cli-installer/lin64/vcsa-deploy install --no-esx-ssl-verify --no-ssl-certificate-verification --accept-eula --accept-eula ~0/*.json
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/pam.d/system-account- 2022-11-08 08:17:09.000000000 +0000
	@@ -0,0 +1,7 @@
	+# Begin /etc/pam.d/system-account
	+# Updated by Ansible - 2022-11-08T08:17:09.196506
	+
	+account required pam_unix.so
	+account required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+
	+# End /etc/pam.d/system-account
	--- /etc/pam.d/system-account- 2022-11-08 08:17:09.000000000 +0000
	+++ /etc/pam.d/system-account 2023-02-27 00:35:42.007980067 +0000
	@@ -2,6 +2,7 @@
	# Updated by Ansible - 2022-11-08T08:17:09.196506

	account required pam_unix.so
	-account required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+#account required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+account required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60

	# End /etc/pam.d/system-account
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/pam.d/system-password- 2023-02-26 22:16:52.908079276 +0000
	@@ -0,0 +1,8 @@
	+# Begin /etc/pam.d/system-password
	+
	+# use sha512 hash for encryption, use shadow, and try to use any previously
	+# defined authentication token (chosen password) set by any prior module
	+password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
	+password required pam_pwhistory.so debug use_authtok enforce_for_root remember=5
	+password required pam_unix.so sha512 use_authtok shadow try_first_pass
	+# End /etc/pam.d/system-password
	--- /etc/pam.d/system-password- 2023-02-26 22:16:52.908079276 +0000
	+++ /etc/pam.d/system-password 2023-02-27 00:35:42.007980067 +0000
	@@ -2,7 +2,9 @@

	# use sha512 hash for encryption, use shadow, and try to use any previously
	# defined authentication token (chosen password) set by any prior module
	-password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
	-password required pam_pwhistory.so debug use_authtok enforce_for_root remember=5
	+#password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
	+password requisite pam_cracklib.so dcredit=0 ucredit=0 lcredit=0 ocredit=0 minlen=4 difok=1 enforce_for_root
	+#password required pam_pwhistory.so debug use_authtok enforce_for_root remember=5
	+password required pam_pwhistory.so debug use_authtok enforce_for_root remember=1
	password required pam_unix.so sha512 use_authtok shadow try_first_pass
	# End /etc/pam.d/system-password
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/pam.d/system-auth- 2022-11-08 08:17:34.000000000 +0000
	@@ -0,0 +1,8 @@
	+# Begin /etc/pam.d/system-auth
	+# Updated by Ansible - 2022-11-08T08:17:34.028917
	+
	+auth required pam_unix.so
	+auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+auth optional pam_faildelay.so delay=4000000
	+
	+# End /etc/pam.d/system-auth
	--- /etc/pam.d/system-auth- 2022-11-08 08:17:34.000000000 +0000
	+++ /etc/pam.d/system-auth 2023-02-27 00:35:42.007980067 +0000
	@@ -2,7 +2,8 @@
	# Updated by Ansible - 2022-11-08T08:17:34.028917

	auth required pam_unix.so
	-auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+#auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300
	+auth required pam_tally2.so deny=64 onerr=fail audit unlock_time=60 root_unlock_time=60
	auth optional pam_faildelay.so delay=4000000

	# End /etc/pam.d/system-auth
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/ssh/sshd_config- 2023-02-26 22:08:27.847933744 +0000
	@@ -0,0 +1,141 @@
	+# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
	+
	+# This is the sshd server system-wide configuration file. See
	+# sshd_config(5) for more information.
	+
	+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
	+
	+# The strategy used for options in the default sshd_config shipped with
	+# OpenSSH is to specify options with their default value where
	+# possible, but leave them commented. Uncommented options override the
	+# default value.
	+
	+#Port 22
	+#AddressFamily any
	+#ListenAddress 0.0.0.0
	+#ListenAddress ::
	+
	+#HostKey /etc/ssh/ssh_host_rsa_key
	+#HostKey /etc/ssh/ssh_host_ecdsa_key
	+#HostKey /etc/ssh/ssh_host_ed25519_key
	+
	+# Ciphers and keying
	+#RekeyLimit default none
	+
	+# Logging
	+#SyslogFacility AUTH
	+SyslogFacility AUTHPRIV
	+#LogLevel INFO
	+
	+# Authentication:
	+
	+#LoginGraceTime 2m
	+PermitRootLogin yes
	+#StrictModes yes
	+MaxAuthTries 2
	+#MaxSessions 10
	+
	+#PubkeyAuthentication yes
	+
	+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
	+# but this is overridden so installations will only check .ssh/authorized_keys
	+AuthorizedKeysFile .ssh/authorized_keys
	+
	+#AuthorizedPrincipalsFile none
	+
	+#AuthorizedKeysCommand none
	+#AuthorizedKeysCommandUser nobody
	+
	+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
	+#HostbasedAuthentication no
	+# Change to yes if you don't trust ~/.ssh/known_hosts for
	+# HostbasedAuthentication
	+#IgnoreUserKnownHosts no
	+# Don't read the user's ~/.rhosts and ~/.shosts files
	+#IgnoreRhosts yes
	+
	+# To disable tunneled clear text passwords, change to no here!
	+#PasswordAuthentication yes
	+#PermitEmptyPasswords no
	+
	+# Change to no to disable s/key passwords
	+#ChallengeResponseAuthentication yes
	+
	+# Kerberos options
	+#KerberosAuthentication no
	+#KerberosOrLocalPasswd yes
	+#KerberosTicketCleanup yes
	+#KerberosGetAFSToken no
	+
	+# GSSAPI options
	+#GSSAPIAuthentication no
	+#GSSAPICleanupCredentials yes
	+
	+# Set this to 'yes' to enable PAM authentication, account processing,
	+# and session processing. If this is enabled, PAM authentication will
	+# be allowed through the ChallengeResponseAuthentication and
	+# PasswordAuthentication. Depending on your PAM configuration,
	+# PAM authentication via ChallengeResponseAuthentication may bypass
	+# the setting of "PermitRootLogin without-password".
	+# If you just want the PAM account and session checks to run without
	+# PAM authentication, then enable this but set PasswordAuthentication
	+# and ChallengeResponseAuthentication to 'no'.
	+UsePAM yes
	+
	+AllowAgentForwarding no
	+AllowTcpForwarding no
	+#GatewayPorts no
	+#X11Forwarding no
	+#X11DisplayOffset 10
	+#X11UseLocalhost yes
	+#PermitTTY yes
	+#PrintMotd yes
	+#PrintLastLog yes
	+TCPKeepAlive no
	+#PermitUserEnvironment no
	+Compression no
	+#ClientAliveInterval 0
	+ClientAliveCountMax 0
	+#UseDNS no
	+#PidFile /var/run/sshd.pid
	+#MaxStartups 10:30:100
	+#PermitTunnel no
	+#ChrootDirectory none
	+#VersionAddendum none
	+
	+FipsMode yes
	+
	+# no default banner path
	+Banner /etc/issue
	+
	+# override default of no subsystems
	+Subsystem sftp /usr/libexec/sftp-server
	+
	+# Example of overriding settings on a per-user basis
	+#Match User anoncvs
	+# X11Forwarding no
	+# AllowTcpForwarding no
	+# PermitTTY no
	+# ForceCommand cvs server
	+SyslogFacility AUTHPRIV
	+LogLevel INFO
	+FipsMode yes
	+GSSAPIAuthentication no
	+PermitUserEnvironment no
	+X11Forwarding no
	+StrictModes yes
	+KerberosAuthentication no
	+PermitEmptyPasswords no
	+PrintLastLog yes
	+IgnoreRhosts yes
	+IgnoreUserKnownHosts yes
	+HostbasedAuthentication no
	+LoginGraceTime 30
	+
	+KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
	+
	+HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
	+
	+MACs hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
	+
	+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
	--- /etc/ssh/sshd_config- 2023-02-26 22:08:27.847933744 +0000
	+++ /etc/ssh/sshd_config 2023-02-27 00:35:42.007980067 +0000
	@@ -32,7 +32,7 @@
	#LoginGraceTime 2m
	PermitRootLogin yes
	#StrictModes yes
	-MaxAuthTries 2
	+#MaxAuthTries 2
	#MaxSessions 10

	#PubkeyAuthentication yes
	--- /dev/null 2023-02-27 00:26:22.135999836 +0000
	+++ /etc/profile.d/tmout.sh- 2022-11-08 08:17:09.000000000 +0000
	@@ -0,0 +1,4 @@
	+TMOUT=900
	+readonly TMOUT
	+export TMOUT
	+mesg n 2>/dev/null
	\ No newline at end of file
	--- /etc/profile.d/tmout.sh- 2022-11-08 08:17:09.000000000 +0000
	+++ /etc/profile.d/tmout.sh 2023-02-27 00:35:42.007980067 +0000
	@@ -1,4 +0,0 @@
	-TMOUT=900
	-readonly TMOUT
	-export TMOUT
	-mesg n 2>/dev/null
	\ No newline at end of file
	#!/bin/sh
	VMware-VCSA-all-.iso/vcsa-cli-installer/lin64/vcsa-deploy install --no-esx-ssl-verify --no-ssl-certificate-verification --accept-eula --accept-eula ~0/.json