Bug 2063379
Summary: | [RFE] Support pam_pwhistory in authselect profiles | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Sunny Wu <suwu> |
Component: | authselect | Assignee: | Pavel Březina <pbrezina> |
Status: | CLOSED ERRATA | QA Contact: | Dan Lavu <dlavu> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.5 | CC: | aboscatt, dlavu, ipedrosa, joerg.kastning, pbrezina |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | sync-to-jira review | ||
Fixed In Version: | authselect-1.2.6-1.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-16 09:10:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2068461, 2126640, 2142804 | ||
Bug Blocks: |
Description
Sunny Wu
2022-03-12 00:23:27 UTC
The particular line is: --- Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused). Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line: password requisite pam_pwhistory.so remember=5 use_authtok Iker, would it be possible to add support of reading arguments from configuration file instead of pam stack to pam_pwhistory? Yes, I think it would be possible to do that. Is it urgent? Or can we plan it for Q3 (or later)? Q3 is fine. Iker, what is the status on your side? Should I start working on this ticket? The RFE for PAM was implemented, included in fedora (rawhide, 37, 36 and 35) and the automated tests were already developed. Work can be tracked in https://bugzilla.redhat.com/show_bug.cgi?id=2068461 I think everything's ready for you to start working on it, but if you need anything else please ping me. Great, so I will push it to Fedora and then we will coordinate RHEL release. I wonder if this module should be only executed for local users? It does not make sense to run this for remote users (from ldap or nis; the man page says it as well) as remove users have their own password policies? Upstream PR: https://github.com/authselect/authselect/pull/321 Iker, can you please review it? I am not exactly sure. Content of KCS (https://access.redhat.com/solutions/5027331) implies pam_pwhistory could be applied in `sssd` profile. If pam_pwhistory is enforceable for local users only, then we may enable it only in `minimal`, and leave the rest unchanged. It can be in sssd profile as it supports authentication of both local and remote users. pam_pwhistory should not be used for remote users for: 1) remote users have their own password policies set in ldap 2) the history is stored locally, so if the user attempts to change password on different computer then the history check simply does not work correctly I added pam_pwhistory like this: password requisite pam_pwquality.so password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok ... So the module will be called only for local users. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (authselect bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3022 |