From a25a2dbf51ac0de75352bad26d176fd9bb207e73 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Fri, 20 Dec 2024 16:10:19 -0800 Subject: [PATCH 1/6] Ubuntu 24.04 5.3.3.4.4 Ensure pam_unix includes use_authtok --- components/pam.yml | 1 + controls/cis_ubuntu2404.yml | 5 +-- .../bash/shared.sh | 14 ++++++++ .../oval/shared.xml | 23 +++++++++++++ .../rule.yml | 32 ++++++++++++++++++ .../tests/ubuntu_correct_value.pass.sh | 33 +++++++++++++++++++ .../tests/ubuntu_missing_value.fail.sh | 5 +++ shared/macros/10-bash.jinja | 4 +-- 8 files changed, 113 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh diff --git a/components/pam.yml b/components/pam.yml index af9441e878a..f4e85c501c8 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -66,6 +66,7 @@ rules: - accounts_password_pam_ucredit - accounts_password_pam_unix_enabled - accounts_password_pam_unix_no_remember +- accounts_password_pam_unix_authtok - accounts_password_pam_unix_remember - accounts_password_pam_unix_rounds_password_auth - accounts_password_pam_unix_rounds_system_auth diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index a65a4d83f94..6641ab732c9 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2059,8 +2059,9 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - accounts_password_pam_unix_authtok + status: automated - id: 5.4.1.1 title: Ensure password expiration is configured (Automated) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh new file mode 100644 index 00000000000..1c7def053ef --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh @@ -0,0 +1,14 @@ +# platform = multi_platform_ubuntu + +config_file="/usr/share/pam-configs/cac_unix" +{{{ bash_pam_unix_enable() }}} +sed -i -E '/^Password:/,/^[^[:space:]]/ { + /pam_unix\.so/ { + /use_authtok/! s/$/ use_authtok/g + } +}' "$config_file" + + +DEBIAN_FRONTEND=noninteractive pam-auth-update + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml new file mode 100644 index 00000000000..452c7d05ccc --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml @@ -0,0 +1,23 @@ +{{%- set accounts_password_pam_unix_file = '/etc/pam.d/common-password' -%}} + + + + {{{ oval_metadata("Configure the system to include use_authtok in pam common_password configuration file") }}} + + + + + + + + + + + {{{ accounts_password_pam_unix_file }}} + ^[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml new file mode 100644 index 00000000000..e4afb5cacce --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + + +title: 'Require use_authtok for pam_unix.so' + +{{% set configFile = "/etc/pam.d/common-password" %}} + +description: |- + When password changing enforce the module to set the new password to the one + provided by a previously stacked password module + +rationale: |- + Require use_authtok in pam_unix.so configuration + +severity: medium + +ocil_clause: 'Usage of use_authtok for pam_unix.so is required' + +ocil: |- + To verify the password reuse setting is compliant, run the following command: + 
$ grep use_authtok {{{ configFile }}}
+ The output should show use_authtok on the line. + +fixtext: |- + To configure the use_authtok option for the pam_unix + PAM modules, in the file {{{ configFile }}}, append use_authtok + to the line which refers to the pam_unix.so, as + shown below: + + 
password [success=1 default=ignore] pam_unix.so ...existing_options... use_authtok
+ +platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh new file mode 100644 index 00000000000..bef6483a480 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +config_file=/usr/share/pam-configs/tmpunix + +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 0 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh new file mode 100644 index 00000000000..20f55baf479 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +config_file=/etc/pam.d/common-password +sed -i --follow-symlinks "s/use_authtok//g" $config_file diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 17ed7a13c7a..302deb02c94 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -913,8 +913,8 @@ if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" - sed -i '/Default: yes/a Priority: 257\ -Conflicts: unix' "$conf_path"/"$conf_name" + sed -i 's/Priority: [0-9]\+/Priority: 257\ +Conflicts: unix/' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update else echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 From 69a09abf6aadb7d02551328e21be6a8d9d061b54 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Tue, 7 Jan 2025 14:22:24 -0800 Subject: [PATCH 2/6] Ubuntu 24.04 5.3.3.4.4 Ensure pam_unix includes use_authtok --- .../oval/shared.xml | 2 +- .../tests/ubuntu_missing_value.fail.sh | 32 +++++++++++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml index 452c7d05ccc..5ccbe170aae 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml @@ -10,7 +10,7 @@ diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh index 20f55baf479..5b7f2aff5a1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh @@ -1,5 +1,33 @@ #!/bin/bash # platform = multi_platform_ubuntu -config_file=/etc/pam.d/common-password -sed -i --follow-symlinks "s/use_authtok//g" $config_file +config_file=/usr/share/pam-configs/tmpunix + +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 1024 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable tmpunix --force +rm "$config_file" From 8a4d2265982bb2d65e979c9b66d1321186b0c308 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Fri, 10 Jan 2025 14:03:51 -0800 Subject: [PATCH 3/6] Ubuntu 24.04 5.3.3.4.4 Ensure pam_unix includes use_authtok --- .../tests/ubuntu_missing_value.fail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh index 5b7f2aff5a1..60e8989ae09 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh @@ -24,7 +24,7 @@ Session-Initial: required pam_unix.so Password-Type: Primary Password: - [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt + [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt Password-Initial: [success=end default=ignore] pam_unix.so obscure yescrypt EOF From 1cffce4643fb13f5cf04a4732024b04ca6ef0aee Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Fri, 10 Jan 2025 14:33:32 -0800 Subject: [PATCH 4/6] Attempting to fix Ubuntu 24.04 5.3.3.4.4 remdiation on server --- .../accounts_password_pam_unix_authtok/bash/shared.sh | 2 +- .../tests/ubuntu_missing_value.fail.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh index 1c7def053ef..57008e0168a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh @@ -9,6 +9,6 @@ sed -i -E '/^Password:/,/^[^[:space:]]/ { }' "$config_file" -DEBIAN_FRONTEND=noninteractive pam-auth-update +DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable cac_unix diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh index 60e8989ae09..904456b6ada 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh @@ -29,5 +29,5 @@ Password-Initial: [success=end default=ignore] pam_unix.so obscure yescrypt EOF -DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable tmpunix --force +DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable tmpunix rm "$config_file" From c1b0b0af814d03f0eaa30cd3be6e50b5b141c275 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Mon, 13 Jan 2025 14:20:30 -0800 Subject: [PATCH 5/6] Attempt to fix pam_unix authtok failure test --- .../accounts_password_pam_unix_authtok/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml index 5ccbe170aae..a83774dfd98 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml @@ -17,7 +17,7 @@ {{{ accounts_password_pam_unix_file }}} - ^[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$ + ^[ \t]*password[ \t]+([^\n\r]+)[\n\r]+[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$ 1 From 2a15dc8ccabb9139d3c965b3be79bde83fb262e2 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Tue, 14 Jan 2025 15:11:37 -0800 Subject: [PATCH 6/6] Fix test issues --- .../oval/shared.xml | 25 ++++++++++-- .../tests/ubuntu_common.sh | 18 +++++++++ .../tests/ubuntu_conflicting_values.fail.sh | 39 +++++++++++++++++++ .../tests/ubuntu_conflicting_values2.fail.sh | 39 +++++++++++++++++++ .../tests/ubuntu_correct_value.pass.sh | 7 +++- .../tests/ubuntu_missing_value.fail.sh | 7 +++- .../ubuntu_missing_value_initial.pass.sh | 38 ++++++++++++++++++ 7 files changed, 168 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml index a83774dfd98..b87d8152982 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml @@ -10,14 +10,33 @@ + + + obj_test_use_authtok_password_lines_except_first + ste_test_use_authtok_pam_unix_lines + + + + + ^[^#\n\r]+[ \t]+pam_unix\.so[ \t]+[^#\n\r]+use_authtok.*$ + + + + {{{ accounts_password_pam_unix_file }}} - ^[ \t]*password[ \t]+([^\n\r]+)[\n\r]+[ \t]*password[ \t]+([^#\n\r]+)[ \t]+pam_unix\.so[ \t]+([^#\n\r]+[ \t]+)?use_authtok.*$ - 1 + ^[ \t]*password[ \t]+(.+)$ + 2 + + + ^[^#\n\r]+[ \t]+pam_unix\.so.*$ + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh new file mode 100644 index 00000000000..8bc825f2336 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +# remove all pam-auth-update configs which update the +# primary password block and create a config with well defined +# high priority to ensure correct stacking of our module +grep -il "Password-Type: Primary" /usr/share/pam-configs/* | grep -v "/unix$" | xargs rm -f + +cat << EOF > /usr/share/pam-configs/cac_test_echo +Name: Echo +Default: yes +Priority: 10000 +Password-Type: Primary +Password: + password optional pam_echo.so +Password-Initial: + password optional pam_echo.so +EOF diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh new file mode 100644 index 00000000000..80394934931 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source ubuntu_common.sh + +config_file=/usr/share/pam-configs/tmpunix + +# lower priority to ensure the config is below the cac_test_echo +# on the stack, thus using the "Password:" configuration +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 1024 +Conflicts: unix +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt + [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh new file mode 100644 index 00000000000..6aff7903b99 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source ubuntu_common.sh + +config_file=/usr/share/pam-configs/tmpunix + +# lower priority to ensure the config is below the cac_test_echo +# on the stack, thus using the "Password:" configuration +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 1024 +Conflicts: unix +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh index bef6483a480..1a8af633232 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh @@ -1,12 +1,17 @@ #!/bin/bash # platform = multi_platform_ubuntu +source ubuntu_common.sh + config_file=/usr/share/pam-configs/tmpunix +# lower priority to ensure the config is below the cac_test_echo +# on the stack, thus using the "Password:" configuration cat << EOF > "$config_file" Name: Unix authentication Default: yes -Priority: 0 +Priority: 1024 +Conflicts: unix Auth-Type: Primary Auth: [success=end default=ignore] pam_unix.so try_first_pass diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh index 904456b6ada..42d499b7c2f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh @@ -1,12 +1,17 @@ #!/bin/bash # platform = multi_platform_ubuntu +source ubuntu_common.sh + config_file=/usr/share/pam-configs/tmpunix +# lower priority to ensure the config is below the cac_test_echo +# on the stack, thus using the "Password:" configuration cat << EOF > "$config_file" Name: Unix authentication Default: yes Priority: 1024 +Conflicts: unix Auth-Type: Primary Auth: [success=end default=ignore] pam_unix.so try_first_pass @@ -29,5 +34,5 @@ Password-Initial: [success=end default=ignore] pam_unix.so obscure yescrypt EOF -DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable tmpunix +DEBIAN_FRONTEND=noninteractive pam-auth-update rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh new file mode 100644 index 00000000000..a8ef5c3e10e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source ubuntu_common.sh + +config_file=/usr/share/pam-configs/tmpunix + +# higher priority to ensure the config is above the cac_test_echo +# on the stack, thus using the "Password-Initial:" configuration +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 1000000 +Conflicts: unix +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file"