5.3.3.3.3 Ensure pam_pwhistory includes use_authtok

Information

use_authtok - When password changing enforce the module to set the new password to the one provided by a previously stacked password module

use_authtok allows multiple pam modules to confirm a new password before it is accepted.

Solution

Edit any returned files and add the use_authtok argument to the pam_pwhistory line in the Password section:

Example File:

Name: pwhistory password history checking
Default: yes
Priority: 1024
Password-Type: Primary
Password:
requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok # <- **ensure line includes use_authtok**

Run the following command to update the files in the /etc/pam.d/ directory:

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example:

# pam-auth-update --enable pwhistory

See Also

https://workbench.cisecurity.org/benchmarks/17074

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: a8ed850426d29e3de8e22f211396a8b2853ea6b69ba850cd63066edcde557ba5