4.4.2.3.4 Ensure pam_pwhistory includes use_authtok

Information

use_authtok - When password changing enforce the module to set the new password to the one provided by a previously stacked password module

use_authtok allows multiple pam modules to confirm a new password before it is accepted.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth:

Add the following line to the password section:

password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Example password section:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 #<- added pam_pwquality.so line
password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so

Note: the use_authtok option should exist on all password lines except the first entry and the pam_deny.so line

See Also

https://workbench.cisecurity.org/benchmarks/15962

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 2e3d055e29e8827f145fe2f83e980165834d8804f0a7e53aedddc931b309c990