View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0014216||CentOS-7||authconfig||public||2017-12-01 00:12||2018-02-07 02:30|
|Platform||x86_64||OS||CentOS 7||OS Version||7.4.1708|
|Target Version||Fixed in Version|
|Summary||0014216: it is not possible to disable pam_pwquality.so manually or with authconfig|
|Description||On a system with SELinux enabled, the remember option cannot be used with pam_unix.so so the only choice is to use pam_pwhistory.|
Unfortunately, pam_pwhistory and pam_pwquality cannot be turned on or off with authconfig. This is a problem because the recommended method to enable pam_pwhistory is to create and symlink your own system-auth-local file.
The most logical way to do this would be to simply have the system-auth-local file include system-auth-ac for auth,account,password, and session, and just place the pam_pwhistory line before the include in the password section.
Unfortunately, pam_pwhistory MUST go after pam_pwquality (otherwise you get bugs like the system asking your for the password 3 times on password change), so of course the logical conclusion is to disable pam_pwhistory so authconfig won't put it back in system-auth-ac and you can manually put it in the correct place in the stack.
You can try removing the entire pam_pwquality line from system-auth-ac and then set USEPWQUALITY=no in /etc/sysconfig/authconfig, however, running authconfig --updateall actually edits /etc/sysconfig/authconfig and sets it back to yes, and then re-inserts it into system-auth-ac.
This makes it completely impossible to accomplish both of :
1. Keep including system-auth-ac to get all the defaults that authconfig can manager
2. Have just your own customizations in system-auth-local
Instead, You have to keep the *entire* password stack in your system-auth-local and not include system-auth-ac at all.
This is quite inconvenient because any future changes to the PASSWORD stack that PAM can manage, you will have to manually include in your system-auth-local file.
|Steps To Reproduce||1. Change USEPWQUALITY=no in /etc/sysconfig/authconfig|
2. (optionally remove all lines containing pam_pwquality.so from /etc/pam.d/system-auth-ac)
3. run 'authconfig --updateall'
/etc/pam.d/system-auth-ac no longer contains pam_pwquality.so
/etc/sysconfig/authconfig remains with USEPWQUALITY=no
/etc/pam.d contains pam_pwquality.so
/etc/sysconfig/authconfig has magically reset USEPWQUALITY=yes
|Tags||No tags attached.|
|The /etc/pam.d/system-auth-ac file is auto-generated and User changes will be destroyed the next time authconfig is run.|
|I'm not sure if I understand the purpose of that comment. Beyond stating the obvious, it doesn't address the reported issue at all, which is about how Authconfig doesn't allow you to disable pam_pwquality when it generates that file.|