Red Hat Bugzilla – Bug 835658
pam_pwhistory.so in RHEL 5.x
Last modified: 2012-06-27 09:05:39 EDT
I have configured pam_pwhistory.so to support enforcing password uniqueness on all users of the system including root.
I have two system-auth files established per RHEL5 STIG requirements (http://iase.disa.mil/stigs/os/unix/u_redhat_5-v1r0.6_stig_manual.zip).
I have /etc/pam.d/system-auth as a symbolic link to /etc/pam.d/system-auth-local.
------ /etc/pam.d/system-auth-local ------
auth requisite pam_access.so
auth required pam_tally2.so deny=3 lock_time=4 onerr=fail
auth include system-auth-ac
account required pam_tally2.so
account include system-auth-ac
password include system-auth-ac
session required pam_lastlog.so showfailed
session include system-auth-ac
------ /etc/pam.d/system-auth-ac ------
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=14 maxrepeat=3 difok=4 enforce_root
password sufficient pam_pwhistory.so use_authok remember=5 enforce_for_root
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
So now the problem.
1) In the above configuration, pam_pwhistory does properly enforce password uniqueness, but when an acceptable password is entered, it does not save the selected password for the user. Instead, it displays a "password successfully changed" message and keeps the password the same as the original password before the change. This was verified by exiting and attempting to log back in with the new password and with the old password.
2) It appears that when "authconfig --updateall" is executed, the line above in system-auth-ac for pam_pwhistory is removed. However, adding the line to system-auth-local just above the "password include system-auth-ac" line doesn't seem to work either.
Your configuration is incorrect.
As authconfig does not support pam_pwhistory for elimination of the problem 2) you have to copy the contents of the password section of system-auth-ac to the system-auth-local and drop the 'password include system-auth-ac'.
As for the 1) pam_pwhistory must not be 'sufficient' but 'requisite'
Thank you! That works great!