Bug 835658 - pam_pwhistory.so in RHEL 5.x
pam_pwhistory.so in RHEL 5.x
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2012-06-26 14:15 EDT by Trey
Modified: 2012-06-27 09:05 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-27 04:39:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Trey 2012-06-26 14:15:55 EDT
I have configured pam_pwhistory.so to support enforcing password uniqueness on all users of the system including root. 

I have two system-auth files established per RHEL5 STIG requirements (http://iase.disa.mil/stigs/os/unix/u_redhat_5-v1r0.6_stig_manual.zip).

I have /etc/pam.d/system-auth as a symbolic link to /etc/pam.d/system-auth-local.

------ /etc/pam.d/system-auth-local ------

auth requisite pam_access.so
auth required pam_tally2.so deny=3 lock_time=4 onerr=fail
auth include system-auth-ac
account required pam_tally2.so
account include system-auth-ac
password include system-auth-ac
session required pam_lastlog.so showfailed
session include system-auth-ac

------ /etc/pam.d/system-auth-ac ------

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=14 maxrepeat=3 difok=4 enforce_root
password    sufficient    pam_pwhistory.so use_authok remember=5 enforce_for_root
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


So now the problem.

1) In the above configuration, pam_pwhistory does properly enforce password uniqueness, but when an acceptable password is entered, it does not save the selected password for the user. Instead, it displays a "password successfully changed" message and keeps the password the same as the original password before the change. This was verified by exiting and attempting to log back in with the new password and with the old password.

2) It appears that when "authconfig --updateall" is executed, the line above in system-auth-ac for pam_pwhistory is removed. However, adding the line to system-auth-local just above the "password include system-auth-ac" line doesn't seem to work either.
Comment 1 Tomas Mraz 2012-06-27 04:39:27 EDT
Your configuration is incorrect.

As authconfig does not support pam_pwhistory for elimination of the problem 2) you have to copy the contents of the password section of system-auth-ac to the system-auth-local and drop the 'password include system-auth-ac'.

As for the 1) pam_pwhistory must not be 'sufficient' but 'requisite'
Comment 2 Trey 2012-06-27 09:05:39 EDT
Thank you! That works great!

Note You need to log in before you can comment on or make changes to this bug.