Skip to content

Set PAM's Common Authentication Hashing Algorithm

An XCCDF Rule

Description

The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-auth, the auth section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the auth section to include the argument sha512, as shown below:

auth   required    pam_unix.so sha512 other arguments...

This will help ensure when local users change their authentication method, hashes for the new authentications will be generated using the SHA-512 algorithm. This is the default.

Rationale

Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and data may be compromised. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

ID
xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_commonauth
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91647-8
  - NIST-800-53-IA-7

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

if [ -e "/etc/pam.d/common-auth" ] ; then
    valueRegex="" defaultValue=""
    # non-empty values need to be preceded by an equals sign