5.3.2.4.4 Ensure pam_unix includes use_authtok

Information

use_authtok - When password changing enforce the module to set the new password to the one provided by a previously stacked password module

use_authtok allows multiple pam modules to confirm a new password before it is accepted.

Solution

Edit or create the line use_authtok on the password stack's pam_unix.so module lines:

/etc/pam.d/common-password:password required pam_unix.so use_authtok shadow sha512
/etc/pam.d/common-password-pc:password required pam_unix.so use_authtok shadow sha512

See Also

https://workbench.cisecurity.org/benchmarks/20333

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: f04e37041a4f7c25a715d72f5e146b16450c3554f67c58ea4127a959f7946f25