5.3.3.4.3 Ensure pam_unix includes a strong password hashing algorithm
Audit#
Run the following command to verify that a strong password hashing algorithm is set on the pam_unix.so module:
# grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?(sha512|yescrypt)\b' /etc/pam.d/common-password
Output should be similar to:
/etc/pam.d/common-password:password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
Remediation#
Run the following command:
# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_unix\.so/) print FILENAME}' /usr/share/pam-configs/*
Edit any returned files and edit or add a strong hashing algorithm, either sha512 or yescrypt, that meets local site policy to the pam_unix lines in the Password section: Example File:
Name: Unix authentication
Default: yes
Priority: 256
Auth-Type: Primary # <- Start of "Auth" section
Auth:
[success=end default=ignore] pam_unix.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_unix.so
Account-Type: Primary # <- Start of "Account" section
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional # <- Start of "Session" section
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary # <- Start of "Password" section
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt # <- **ensure hashing algorithm is either sha512 or yescrypt**
Password-Initial:
[success=end default=ignore] pam_unix.so obscure yescrypt # <- **ensure hashing algorithm is either sha512 or yescrypt**
Run the following command to update the files in the /etc/pam.d/ directory:
Example: