Avoid using remember in pam_unix module
Description
The remember option stores the last n passwords for each user in /etc/security/opasswd,
enforcing password history and preventing users from reusing the same passwords. However, this feature
relies on the MD5 password hash algorithm, which is less secure. Instead, the pam_pwhistory
module should be used. This module also stores the last n passwords in /etc/security/opasswd
and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,
offering enhanced security.
Rationale
Removing the remember argument ensures the use of a stronger password hashing algorithm.
A more robust hash algorithm increases the difficulty for attackers to crack stored
passwords in /etc/security/opasswd, thereby improving system security and
protecting user credentials.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then
conf_name=cac_unix
conf_path="/usr/share/pam-configs"
if [ ! -f "$conf_path"/"$conf_name" ]; then
if [ -f "$conf_path"/unix ]; then
if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
cp "$conf_path"/unix "$conf_path"/"$conf_name"
sed -i 's/Priority: [0-9]\+/Priority: 257\
Conflicts: unix/' "$conf_path"/"$conf_name"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2
fi
else
echo "Not applicable - $conf_path/unix does not exist" >&2
fi
fi
config_file="/usr/share/pam-configs/cac_unix"
sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
/pam_unix\.so/ {
s/\s*\bremember=\d+\b//g
}
}' "$config_file"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
