2017-12-13 08:59 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0014216CentOS-7authconfigpublic2017-12-01 00:12
Platformx86_64OSCentOS 7OS Version7.4.1708
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014216: it is not possible to disable pam_pwquality.so manually or with authconfig
DescriptionOn a system with SELinux enabled, the remember option cannot be used with pam_unix.so so the only choice is to use pam_pwhistory.

Unfortunately, pam_pwhistory and pam_pwquality cannot be turned on or off with authconfig. This is a problem because the recommended method to enable pam_pwhistory is to create and symlink your own system-auth-local file.

The most logical way to do this would be to simply have the system-auth-local file include system-auth-ac for auth,account,password, and session, and just place the pam_pwhistory line before the include in the password section.

Unfortunately, pam_pwhistory MUST go after pam_pwquality (otherwise you get bugs like the system asking your for the password 3 times on password change), so of course the logical conclusion is to disable pam_pwhistory so authconfig won't put it back in system-auth-ac and you can manually put it in the correct place in the stack.

You can try removing the entire pam_pwquality line from system-auth-ac and then set USEPWQUALITY=no in /etc/sysconfig/authconfig, however, running authconfig --updateall actually edits /etc/sysconfig/authconfig and sets it back to yes, and then re-inserts it into system-auth-ac.

This makes it completely impossible to accomplish both of :
1. Keep including system-auth-ac to get all the defaults that authconfig can manager
2. Have just your own customizations in system-auth-local

Instead, You have to keep the *entire* password stack in your system-auth-local and not include system-auth-ac at all.

This is quite inconvenient because any future changes to the PASSWORD stack that PAM can manage, you will have to manually include in your system-auth-local file.
Steps To Reproduce1. Change USEPWQUALITY=no in /etc/sysconfig/authconfig
2. (optionally remove all lines containing pam_pwquality.so from /etc/pam.d/system-auth-ac)
3. run 'authconfig --updateall'

Expected result:
/etc/pam.d/system-auth-ac no longer contains pam_pwquality.so
/etc/sysconfig/authconfig remains with USEPWQUALITY=no

Actual result:
/etc/pam.d contains pam_pwquality.so
/etc/sysconfig/authconfig has magically reset USEPWQUALITY=yes
TagsNo tags attached.
Attached Files


There are no notes attached to this issue.

-Issue History
Date Modified Username Field Change
2017-12-01 00:12 nathan@nathanpeters.com New Issue
+Issue History