Profile Applicability:
• Level 1
Description:
The use_authtok option in the pam_unix module ensures that the module uses the authentication token obtained from a previous module rather than prompting for the password again. Including this option maintains consistency and security during password changes.
Rationale:
Using use_authtok helps enforce unified password handling, preventing users from bypassing password policies and ensuring the integrity of the authentication process.
Impact:
Pros:
Maintains consistent password verification during changes.
Prevents circumvention of password policies.
Cons:
Requires correct PAM stack configuration to function properly.
Default Value:
use_authtok is not always included by default and should be verified.
Pre-requisites:
Root or sudo privileges to modify PAM configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files for pam_unix usage with use_authtok:
grep pam_unix /etc/pam.d/system-auth grep use_authtok /etc/pam.d/system-auth
Verify that use_authtok is present in the pam_unix module lines.
Implementation Plan:
Using Linux command line:
1. Edit the PAM configuration file:
vi /etc/pam.d/system-auth
2. Add or ensure use_authtok is included in the pam_unix line, for example:
password sufficient pam_unix.so use_authtok sha512 shadow nullok try_first_pass
3. Save the file.
Backout Plan:
Using Linux command line:
Remove the use_authtok option if necessary.
Test password changes to confirm behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_unix Documentation