5.3.3.3.3 Ensure pam_pwhistory includes use_authtok

Information

use_authtok - When password changing enforce the module to set the new password to the one provided by a previously stacked password module

use_authtok allows multiple pam modules to confirm a new password before it is accepted.

Solution

Run the following command:

# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory.so/) print FILENAME}' /usr/share/pam-configs/*

Edit any returned files and add the use_authtok argument to the pam_pwhistory line in the Password section:

Example File:

Name: pwhistory password history checking
Default: yes
Priority: 1024
Password-Type: Primary
Password:
requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok # <- **ensure line includes use_authtok**

Run the following command to update the files in the /etc/pam.d/ directory:

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example:

# pam-auth-update --enable pwhistory

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: b42a50c133bd9c2890aaf779b85e657f3aac5c4d4ee6dc161c33e39b607c9ee6