View Issue Details

IDProjectCategoryView StatusLast Update
0014216CentOS-7authconfigpublic2018-05-25 01:41
Reporternathan@nathanpeters.com 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOS 7OS Version7.4.1708
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014216: it is not possible to disable pam_pwquality.so manually or with authconfig
DescriptionOn a system with SELinux enabled, the remember option cannot be used with pam_unix.so so the only choice is to use pam_pwhistory.

Unfortunately, pam_pwhistory and pam_pwquality cannot be turned on or off with authconfig. This is a problem because the recommended method to enable pam_pwhistory is to create and symlink your own system-auth-local file.

The most logical way to do this would be to simply have the system-auth-local file include system-auth-ac for auth,account,password, and session, and just place the pam_pwhistory line before the include in the password section.

Unfortunately, pam_pwhistory MUST go after pam_pwquality (otherwise you get bugs like the system asking your for the password 3 times on password change), so of course the logical conclusion is to disable pam_pwhistory so authconfig won't put it back in system-auth-ac and you can manually put it in the correct place in the stack.

You can try removing the entire pam_pwquality line from system-auth-ac and then set USEPWQUALITY=no in /etc/sysconfig/authconfig, however, running authconfig --updateall actually edits /etc/sysconfig/authconfig and sets it back to yes, and then re-inserts it into system-auth-ac.

This makes it completely impossible to accomplish both of :
1. Keep including system-auth-ac to get all the defaults that authconfig can manager
2. Have just your own customizations in system-auth-local

Instead, You have to keep the *entire* password stack in your system-auth-local and not include system-auth-ac at all.

This is quite inconvenient because any future changes to the PASSWORD stack that PAM can manage, you will have to manually include in your system-auth-local file.
Steps To Reproduce1. Change USEPWQUALITY=no in /etc/sysconfig/authconfig
2. (optionally remove all lines containing pam_pwquality.so from /etc/pam.d/system-auth-ac)
3. run 'authconfig --updateall'

Expected result:
/etc/pam.d/system-auth-ac no longer contains pam_pwquality.so
/etc/sysconfig/authconfig remains with USEPWQUALITY=no

Actual result:
/etc/pam.d contains pam_pwquality.so
/etc/sysconfig/authconfig has magically reset USEPWQUALITY=yes
TagsNo tags attached.
abrt_hash
URL

Activities

xavinux

xavinux

2018-02-06 18:06

reporter   ~0031165

The /etc/pam.d/system-auth-ac file is auto-generated and User changes will be destroyed the next time authconfig is run.
nathan@nathanpeters.com

nathan@nathanpeters.com

2018-02-07 02:30

reporter   ~0031174

I'm not sure if I understand the purpose of that comment. Beyond stating the obvious, it doesn't address the reported issue at all, which is about how Authconfig doesn't allow you to disable pam_pwquality when it generates that file.

Issue History

Date Modified Username Field Change
2017-12-01 00:12 nathan@nathanpeters.com New Issue
2018-02-06 18:06 xavinux Note Added: 0031165
2018-02-07 02:30 nathan@nathanpeters.com Note Added: 0031174