Merge pull request #431 from joubbi/pwhistory

Use pam_pwhistory.so instead of pam_unix.so for remembering old passwords
dev-sec · Mar 23, 2021 · a45eee2 · a45eee2
2 parents 05bc809 + d693a8e
commit a45eee2
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -33,11 +33,12 @@ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so
 
 {% if (os_auth_pam_passwdqc_enable | bool) %}
-password    required      pam_pwquality.so {{ os_auth_pam_pwquality_options }}
+password    requisite     pam_pwquality.so {{ os_auth_pam_pwquality_options }}
 {% endif %}
-{# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 #}
 {# NSA 2.3.3.6 Limit Password Reuse #}
-password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
+password    requisite     pam_pwhistory.so remember=5 use_authtok
+{# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 #}
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 {% if (os_auth_pam_sssd_enable | bool) %}
 password    sufficient    pam_sss.so use_authtok
 {% endif %}