Information
use_authtok - When password changing enforce the module to set the new password to the one provided by a previously stacked password module
use_authtok allows multiple pam modules to confirm a new password before it is accepted.
Solution
Run the following script to verify the active authselect profile includes use_authtok on the password stack's pam_pwhistory.so module lines:
#!/usr/bin/env bash
{
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
grep -P -- '^h*passwordh+(requisite|required|sufficient)h+pam_pwhistory.soh+([^#
r]+h+)?use_authtokb' "$l_pam_profile_path"/{password,system}-auth
}
Example output:
/etc/authselect/custom/custom-profile/password-auth:password required pam_pwhistory.so use_authtok
/etc/authselect/custom/custom-profile/system-auth:password required pam_pwhistory.so use_authtok
- IF - the output does not include use_authtok run the following script:
#!/usr/bin/env bash
{
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
if grep -Pq '^h*passwordh+([^#
r]+)h+pam_pwhistory.soh+([^#
r]+h+)?use_authtokb' "$l_authselect_file"; then
echo "- \"use_authtok\" is already set"
else
echo "- \"use_authtok\" is not set. Updating template"
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_pwhistory.sos+.*)$/& use_authtok/g' "$l_authselect_file"
fi
done
}
Run the following command to update the password-auth and system-auth files in /etc/pam.d to include the use_authtok argument on the password stack's pam_pwhistory.so lines:
# authselect apply-changes