RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2063379 - [RFE] Support pam_pwhistory in authselect profiles
Summary: [RFE] Support pam_pwhistory in authselect profiles
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: authselect
Version: 8.5
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Dan Lavu
URL:
Whiteboard: sync-to-jira review
Depends On: 2068461 2126640 2142804
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-12 00:23 UTC by Sunny Wu
Modified: 2023-05-16 11:18 UTC (History)
5 users (show)

Fixed In Version: authselect-1.2.6-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-16 09:10:47 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github authselect authselect pull 321 0 None Merged profiles: add with-pwhistory feature 2022-10-17 23:12:26 UTC
Red Hat Issue Tracker RHELPLAN-115398 0 None None None 2022-03-12 00:27:02 UTC
Red Hat Issue Tracker SSSD-4468 0 None None None 2022-03-22 07:55:33 UTC
Red Hat Knowledge Base (Solution) 5027331 0 None None None 2022-03-12 03:15:39 UTC
Red Hat Knowledge Base (Solution) 6980935 0 None None None 2023-01-19 07:27:44 UTC
Red Hat Product Errata RHBA-2023:3022 0 None None None 2023-05-16 09:11:09 UTC

Description Sunny Wu 2022-03-12 00:23:27 UTC 
Description of problem:

Add pam_pwhistory in authselect profiles so that users can enable this module in command line, instead of modifying /etc/pam.d/{password-auth,system-auth} directly.

There are a large number of security guidelines (CIS, STIG, etc...) require compliance denying users to re-use password. The demand to enforce password history is high. 

There are support articles for every version of RHEL to provide instruction to add support of password history (pam_pwhistory). However, this is still a manual process with either 1. direct editing of files, which is not recommended, or 2. create custom authselect profiles.

The support article for RHEL8:

   Set Password Policy/Complexity in Red Hat Enterprise Linux 8
   https://access.redhat.com/solutions/5027331

With both methods mentioned above, users may still be confused as where (which line) the PAM module line should be inserted.

Adding support can enhance usability of our products, minimize users' effort to enable/disable the feature, and reduce error rate.

I propose to add the feature in below default authselect profiles:
- minimal
- nis
- sssd
- winbind

Version-Release number of selected component (if applicable):

# rpm -qa | grep authselect
authselect-compat-1.2.2-2.el8.x86_64
authselect-libs-1.2.2-2.el8.x86_64
authselect-1.2.2-2.el8.x86_64

Reference:

STIG - V-230368
https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2020-11-25/finding/V-230368

Red Hat Enterprise Linux 8 CIS Benchmarks - Limit Password Reuse: password-auth
https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-cis.html#xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
Comment 2 Sunny Wu 2022-03-14 03:54:33 UTC 
The particular line is:

---
Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused).

Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line:

   password    requisite     pam_pwhistory.so remember=5 use_authtok
Comment 3 Pavel Březina 2022-03-21 12:48:00 UTC 
Iker, would it be possible to add support of reading arguments from configuration file instead of pam stack to pam_pwhistory?
Comment 4 Iker Pedrosa 2022-03-21 13:04:00 UTC 
Yes, I think it would be possible to do that. Is it urgent? Or can we plan it for Q3 (or later)?
Comment 5 Pavel Březina 2022-03-21 13:48:42 UTC 
Q3 is fine.
Comment 6 Pavel Březina 2022-09-08 12:18:37 UTC 
Iker, what is the status on your side? Should I start working on this ticket?
Comment 7 Iker Pedrosa 2022-09-08 12:35:47 UTC 
The RFE for PAM was implemented, included in fedora (rawhide, 37, 36 and 35) and the automated tests were already developed. Work can be tracked in https://bugzilla.redhat.com/show_bug.cgi?id=2068461

I think everything's ready for you to start working on it, but if you need anything else please ping me.
Comment 8 Pavel Březina 2022-09-08 12:55:57 UTC 
Great, so I will push it to Fedora and then we will coordinate RHEL release.
Comment 9 Pavel Březina 2022-09-19 10:14:39 UTC 
I wonder if this module should be only executed for local users? It does not make sense to run this for remote users (from ldap or nis; the man page says it as well) as remove users have their own password policies?
Comment 10 Pavel Březina 2022-09-20 12:19:09 UTC 
Upstream PR:
https://github.com/authselect/authselect/pull/321

Iker, can you please review it?
Comment 11 Sunny Wu 2022-09-23 03:20:53 UTC 
I am not exactly sure.

Content of KCS (https://access.redhat.com/solutions/5027331) implies pam_pwhistory could be applied in `sssd` profile.

If pam_pwhistory is enforceable for local users only, then we may enable it only in `minimal`, and leave the rest unchanged.
Comment 12 Pavel Březina 2022-09-23 10:34:43 UTC 
It can be in sssd profile as it supports authentication of both local and remote users.

pam_pwhistory should not be used for remote users for:
1) remote users have their own password policies set in ldap
2) the history is stored locally, so if the user attempts to change password on different computer then the history check simply does not work correctly

I added pam_pwhistory like this:
password    requisite                                    pam_pwquality.so
password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
...

So the module will be called only for local users.
Comment 24 errata-xmlrpc 2023-05-16 09:10:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (authselect bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3022
Note You need to log in before you can comment on or make changes to this bug.