835658 – pam_pwhistory.so in RHEL 5.x

Bug 835658 - pam_pwhistory.so in RHEL 5.x

Summary: pam_pwhistory.so in RHEL 5.x

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	5.10
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-26 18:15 UTC by Trey
Modified:	2012-06-27 13:05 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-27 08:39:27 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Trey 2012-06-26 18:15:55 UTC

I have configured pam_pwhistory.so to support enforcing password uniqueness on all users of the system including root. 

I have two system-auth files established per RHEL5 STIG requirements (http://iase.disa.mil/stigs/os/unix/u_redhat_5-v1r0.6_stig_manual.zip).

I have /etc/pam.d/system-auth as a symbolic link to /etc/pam.d/system-auth-local.

------ /etc/pam.d/system-auth-local ------

auth requisite pam_access.so
auth required pam_tally2.so deny=3 lock_time=4 onerr=fail
auth include system-auth-ac
account required pam_tally2.so
account include system-auth-ac
password include system-auth-ac
session required pam_lastlog.so showfailed
session include system-auth-ac

------ /etc/pam.d/system-auth-ac ------

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=14 maxrepeat=3 difok=4 enforce_root
password    sufficient    pam_pwhistory.so use_authok remember=5 enforce_for_root
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

---------------------------------------------------

So now the problem.

1) In the above configuration, pam_pwhistory does properly enforce password uniqueness, but when an acceptable password is entered, it does not save the selected password for the user. Instead, it displays a "password successfully changed" message and keeps the password the same as the original password before the change. This was verified by exiting and attempting to log back in with the new password and with the old password.

2) It appears that when "authconfig --updateall" is executed, the line above in system-auth-ac for pam_pwhistory is removed. However, adding the line to system-auth-local just above the "password include system-auth-ac" line doesn't seem to work either.

Comment 1 Tomas Mraz 2012-06-27 08:39:27 UTC

Your configuration is incorrect.

As authconfig does not support pam_pwhistory for elimination of the problem 2) you have to copy the contents of the password section of system-auth-ac to the system-auth-local and drop the 'password include system-auth-ac'.

As for the 1) pam_pwhistory must not be 'sufficient' but 'requisite'

Comment 2 Trey 2012-06-27 13:05:39 UTC

Thank you! That works great!

Note You need to log in before you can comment on or make changes to this bug.