5.3.3.4.4 Ensure pam_unix includes use_authtok
Audit#
Run the following command to verify that use_authtok is set on the pam_unix.so module lines in the password stack:
# grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password
Output should be similar to:
etc/pam.d/common-password:password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
Remediation#
Run the following command:
# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_unix\.so/) print FILENAME}' /usr/share/pam-configs/*
Edit any returned files add use_authtok to the pam_unix line in the Password section under Password: subsection: Note: The if the file's Password section includes a Password-Initial: subsection, use_authtok should not be added to the pam_unix line in the Password-Initial: subsection Example File:
Name: Unix authentication
Default: yes
Priority: 256
Auth-Type: Primary # <- Start of "Auth" section
Auth:
[success=end default=ignore] pam_unix.so try_first_pass
Auth-Initial:
[success=end default=ignore] pam_unix.so
Account-Type: Primary # <- Start of "Account" section
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional # <- Start of "Session" section
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary # <- Start of "Password" section
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt # <- **ensure line includes use_authtok**
Password-Initial:
[success=end default=ignore] pam_unix.so obscure yescrypt # <- **Password-Initial: subsection does not include use_authtok
Run the following command to update the files in the /etc/pam.d/ directory:
Example: