Profile Applicability:
• Level 1
Description:
The use_authtok option in the pam_pwhistory module ensures that the module uses the password token obtained from a previous module in the stack rather than prompting for a password again. Including this option prevents users from bypassing password history checks during password changes.
Rationale:
Using use_authtok enforces consistent password history validation during password changes, enhancing security by preventing circumvention of password reuse restrictions.
Impact:
Pros:
Ensures password history checks are effectively enforced.
Prevents users from reusing recent passwords.
Cons:
Requires proper PAM stack configuration to function correctly.
Default Value:
use_authtok may not be included by default and must be explicitly configured.
Pre-requisites:
Root or sudo privileges to modify PAM configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM password configuration for pam_pwhistory usage with use_authtok:
grep pam_pwhistory /etc/pam.d/system-auth grep pam_pwhistory /etc/pam.d/common-password
Verify that the line includes use_authtok.
Implementation Plan:
Using Linux command line:
1. Edit the PAM password configuration file:
vi /etc/pam.d/system-auth
2. Ensure the pam_pwhistory module line includes use_authtok, for example:
password required pam_pwhistory.so use_authtok remember=5 enforce_for_root
3. Save the file.
Backout Plan:
Using Linux command line:
Remove the use_authtok option if necessary.
Test password changes to confirm behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_pwhistory Documentation