Skip to content

5.3.3.3.3 Ensure pam_pwhistory includes use_authtok

Audit#

Run the following command to verify that the use_authtok argument exists on the pwhistory line in /etc/pam.d/common-password: 

# grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password

Output should be similar to: 

password requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Remediation#

Run the following command: 

# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*

Edit any returned files and add the use_authtok argument to the pam_pwhistory line in the Password section: Example File: 

Name: pwhistory password history checking
Default: yes
Priority: 1024
Password-Type: Primary
Password:
requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok # <- **ensure line includes use_authtok**

Run the following command to update the files in the /etc/pam.d/ directory: 

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example: 

# pam-auth-update --enable pwhistory