Avoid using remember in pam_unix module

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

The remember option stores the last n passwords for each user in /etc/security/opasswd, enforcing password history and preventing users from reusing the same passwords. However, this feature relies on the MD5 password hash algorithm, which is less secure. Instead, the pam_pwhistory module should be used. This module also stores the last n passwords in /etc/security/opasswd and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512, offering enhanced security.

Rationale

Removing the remember argument ensures the use of a stronger password hashing algorithm. A more robust hash algorithm increases the difficulty for attackers to crack stored passwords in /etc/security/opasswd, thereby improving system security and protecting user credentials.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then

conf_name=cac_unix
conf_path="/usr/share/pam-configs"

if [ ! -f "$conf_path"/"$conf_name" ]; then
    if [ -f "$conf_path"/unix ]; then
        if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
            cp "$conf_path"/unix "$conf_path"/"$conf_name"
            sed -i 's/Priority: [0-9]\+/Priority: 257\
Conflicts: unix/' "$conf_path"/"$conf_name"
            DEBIAN_FRONTEND=noninteractive pam-auth-update
        else
            echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2
        fi
    else
        echo "Not applicable - $conf_path/unix does not exist" >&2
    fi
fi
config_file="/usr/share/pam-configs/cac_unix"
sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
    /pam_unix\.so/ {
        s/\s*\bremember=\d+\b//g
    }
}' "$config_file"

DEBIAN_FRONTEND=noninteractive pam-auth-update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi