Bug 2063379
| Summary: | [RFE] Support pam_pwhistory in authselect profiles | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sunny Wu <suwu> |
| Component: | authselect | Assignee: | Pavel Březina <pbrezina> |
| Status: | CLOSED ERRATA | QA Contact: | Dan Lavu <dlavu> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.5 | CC: | aboscatt, dlavu, ipedrosa, joerg.kastning, pbrezina |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | sync-to-jira review | ||
| Fixed In Version: | authselect-1.2.6-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 09:10:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2068461, 2126640, 2142804 | ||
| Bug Blocks: | |||
The particular line is: --- Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused). Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line: password requisite pam_pwhistory.so remember=5 use_authtok Iker, would it be possible to add support of reading arguments from configuration file instead of pam stack to pam_pwhistory? Yes, I think it would be possible to do that. Is it urgent? Or can we plan it for Q3 (or later)? Q3 is fine. Iker, what is the status on your side? Should I start working on this ticket? The RFE for PAM was implemented, included in fedora (rawhide, 37, 36 and 35) and the automated tests were already developed. Work can be tracked in https://bugzilla.redhat.com/show_bug.cgi?id=2068461 I think everything's ready for you to start working on it, but if you need anything else please ping me. Great, so I will push it to Fedora and then we will coordinate RHEL release. I wonder if this module should be only executed for local users? It does not make sense to run this for remote users (from ldap or nis; the man page says it as well) as remove users have their own password policies? Upstream PR: https://github.com/authselect/authselect/pull/321 Iker, can you please review it? I am not exactly sure. Content of KCS (https://access.redhat.com/solutions/5027331) implies pam_pwhistory could be applied in `sssd` profile. If pam_pwhistory is enforceable for local users only, then we may enable it only in `minimal`, and leave the rest unchanged. It can be in sssd profile as it supports authentication of both local and remote users.
pam_pwhistory should not be used for remote users for:
1) remote users have their own password policies set in ldap
2) the history is stored locally, so if the user attempts to change password on different computer then the history check simply does not work correctly
I added pam_pwhistory like this:
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
...
So the module will be called only for local users.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (authselect bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3022 |
Description of problem: Add pam_pwhistory in authselect profiles so that users can enable this module in command line, instead of modifying /etc/pam.d/{password-auth,system-auth} directly. There are a large number of security guidelines (CIS, STIG, etc...) require compliance denying users to re-use password. The demand to enforce password history is high. There are support articles for every version of RHEL to provide instruction to add support of password history (pam_pwhistory). However, this is still a manual process with either 1. direct editing of files, which is not recommended, or 2. create custom authselect profiles. The support article for RHEL8: Set Password Policy/Complexity in Red Hat Enterprise Linux 8 https://access.redhat.com/solutions/5027331 With both methods mentioned above, users may still be confused as where (which line) the PAM module line should be inserted. Adding support can enhance usability of our products, minimize users' effort to enable/disable the feature, and reduce error rate. I propose to add the feature in below default authselect profiles: - minimal - nis - sssd - winbind Version-Release number of selected component (if applicable): # rpm -qa | grep authselect authselect-compat-1.2.2-2.el8.x86_64 authselect-libs-1.2.2-2.el8.x86_64 authselect-1.2.2-2.el8.x86_64 Reference: STIG - V-230368 https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2020-11-25/finding/V-230368 Red Hat Enterprise Linux 8 CIS Benchmarks - Limit Password Reuse: password-auth https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-cis.html#xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth