From 659e5ada6a1c4ced634fa6be4d2b5c97e18858a3 Mon Sep 17 00:00:00 2001
From: Farid Joubbi <farid@joubbi.se>
Date: Mon, 22 Mar 2021 22:28:25 +0100
Subject: [PATCH 1/2] Changed to pam_pwhistory.so instead of pam_unix.so for
 remembering old passwords.

Signed-off-by: Farid Joubbi <farid@joubbi.se>
---
 roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
index fd12326ea..880cf6243 100644
--- a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
+++ b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -33,11 +33,12 @@ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so
 
 {% if (os_auth_pam_passwdqc_enable | bool) %}
-password    required      pam_pwquality.so {{ os_auth_pam_pwquality_options }}
+password    requisite     pam_pwquality.so {{ os_auth_pam_pwquality_options }}
 {% endif %}
-# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
-# NSA 2.3.3.6 Limit Password Reuse
-password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
+{# NSA 2.3.3.6 Limit Password Reuse #}
+password    required      pam_pwhistory.so remember=5 use_authtok
+{# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 #}
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 {% if (os_auth_pam_sssd_enable | bool) %}
 password    sufficient    pam_sss.so use_authtok
 {% endif %}

From d693a8e2007130920df6bf4c62c23dc2b79c8656 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Tue, 23 Mar 2021 08:53:49 +0100
Subject: [PATCH 2/2] also use requisite for pwhistory

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
index 880cf6243..bbf3522d9 100644
--- a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
+++ b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -36,7 +36,7 @@ account     required      pam_permit.so
 password    requisite     pam_pwquality.so {{ os_auth_pam_pwquality_options }}
 {% endif %}
 {# NSA 2.3.3.6 Limit Password Reuse #}
-password    required      pam_pwhistory.so remember=5 use_authtok
+password    requisite     pam_pwhistory.so remember=5 use_authtok
 {# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 #}
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 {% if (os_auth_pam_sssd_enable | bool) %}