2

In a RHEL7 server, I have to implement two password policies that can be described as parameters of PAM pam_pwquality module:

  1. password requisite pam_pwquality.so try_first_pass local_users_only minlen=14
  2. password requisite pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1

Furthermore the default RHEL 7 PAM configuration contains already the following entry of pam_pwquality:

  1. password requisite pam_pwquality.so try_first_pass local_users_only retry=3

I have the requirements to apply the password policy of entry 3 to all users and the password policy to two differents groups of local user named group1 and group2.

To apply this requirements, I have added the following code in /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac after the default pam_pwquality entry (named 3. in this question):

password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 # Default RHEL7 pam_pwquality.so entry #BEGIN PWPOLICY 1 password [success=1 default=ignore] pam_succeed_if.so user notingroup group1 password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 use_authtok #END PWPOLICY 1 #BEGIN PWPOLICY 2 password [success=1 default=ignore] pam_succeed_if.so user notingroup group2 password requisite pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1 use_authtok #END PWPOLICY 2

This configuration works as expected but it has the disadvantage that when a user (included in group1 and group2) change the password it needs to repeat it multiple times, as showed in the following example:

[test@rhel7 ~]$ passwd Changing password for user test. Changing password for test. (current) UNIX password: New password: Retype new password: Retype new password: Retype new password: passwd: all authentication tokens updated successfully.

The option "use_authtok" included in my last two pam_pwquality entries seems to be ignored.

Do you know what is wrong with this configuration or other methods to implements these requirements?

Improve this question

1 Answer 1

Reset to default
1

The problem here is two-fold:

  1. pam_pwquality is designed to explicitly prompt for a password verification with pam_get_authtok_verify, and use_authtok only applies to pam_get_authtok_noverify.
  2. PAM works its way down the stack in order, so all of your users are hitting the default policy on the first line, and I believe your pam_succeed_if skips are not working the way you think they are.

I think you may want to invert the order and add and use the bracket syntax to achieve what you are after: 

### Policy Group 1 # If the user is in group 1, do nothing (and run the next module), # otherwise skip to Group 2 password [success=ignore default=1] pam_succeed_if.so user ingroup group1 # If this module succeeds skip 3 modules: the two for Group 2 # and 1 for the default entry, otherwise fail the stack immediately. # "die" matches the "requisite" in your original policy. If "required" is # intended, change this to "bad" password [success=3 default=die] pam_pwquality.so try_first_pass local_users_only minlen=14 ### Policy Group 2 # If the user is in group 2, do nothing (and run the next module), # otherwise skip to the default entry password [success=ignore default=1] pam_succeed_if.so user ingroup group2 # Similar to Group 1, except we only need to skip the default module entry on success password [success=1 default=die] pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1 ### Default RHEL7 pam_pwquality.so entry password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 ### This should be replaced with the stack responsible for managing passwords, if not the RHEL7 default password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow

There doesn’t appear to be any difference to me between Group #1’s policy and the default. Assuming that’s not intentional, I believe the above should work if you do need all 3 to be different.

Also: This solution assumes that group1 & group2 membership is mutually exclusive. If someone is in both groups, group1 takes precedence.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.