PAM: multiple pam_pwquality require to repeat same password multiple times

Question

In a RHEL7 server, I have to implement two password policies that can be described as parameters of PAM pam_pwquality module:

1. password requisite pam_pwquality.so try_first_pass local_users_only minlen=14
2. password requisite pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1

Furthermore the default RHEL 7 PAM configuration contains already the following entry of pam_pwquality:

3. password requisite pam_pwquality.so try_first_pass local_users_only retry=3

I have the requirements to apply the password policy of entry 3 to all users and the password policy to two differents groups of local user named group1 and group2.

To apply this requirements, I have added the following code in /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac after the default pam_pwquality entry (named 3. in this question):

password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 # Default RHEL7 pam_pwquality.so entry
#BEGIN PWPOLICY 1
password [success=1 default=ignore] pam_succeed_if.so user notingroup group1
password    requisite     pam_pwquality.so try_first_pass local_users_only minlen=14 use_authtok
#END PWPOLICY 1


#BEGIN PWPOLICY 2
password [success=1 default=ignore] pam_succeed_if.so user notingroup group2
password    requisite     pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1 use_authtok
#END PWPOLICY 2

This configuration works as expected but it has the disadvantage that when a user (included in group1 and group2) change the password it needs to repeat it multiple times, as showed in the following example:

[test@rhel7 ~]$ passwd 
Changing password for user test.
Changing password for test.
(current) UNIX password: 
New password: 
Retype new password: 
Retype new password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

The option "use_authtok" included in my last two pam_pwquality entries seems to be ignored.

Do you know what is wrong with this configuration or other methods to implements these requirements?

Answer 1

The problem here is two-fold:

1. pam_pwquality is designed to explicitly prompt for a password verification with pam_get_authtok_verify, and use_authtok only applies to pam_get_authtok_noverify.
2. PAM works its way down the stack in order, so all of your users are hitting the default policy on the first line, and I believe your pam_succeed_if skips are not working the way you think they are.

I think you may want to invert the order and add and use the bracket syntax to achieve what you are after:

### Policy Group 1
# If the user is in group 1, do nothing (and run the next module), 
# otherwise skip to Group 2
password [success=ignore default=1] pam_succeed_if.so user ingroup group1

# If this module succeeds skip 3 modules: the two for Group 2 
# and 1 for the default entry, otherwise fail the stack immediately. 
# "die" matches the "requisite" in your original policy. If "required" is 
# intended, change this to "bad"
password [success=3      default=die]   pam_pwquality.so try_first_pass local_users_only minlen=14

### Policy Group 2
# If the user is in group 2, do nothing (and run the next module), 
# otherwise skip to the default entry
password [success=ignore default=1] pam_succeed_if.so user ingroup group2

# Similar to Group 1, except we only need to skip the default module entry on success
password [success=1  default=die]   pam_pwquality.so try_first_pass local_users_only dcredit=0 ucredit=0 ocredit=0 lcredit=0 minclass=3 maxsequence=1 

### Default RHEL7 pam_pwquality.so entry
password requisite          pam_pwquality.so try_first_pass local_users_only minlen=14

### This should be replaced with the stack responsible for managing passwords, if not the RHEL7 default
password sufficient         pam_unix.so try_first_pass use_authtok nullok sha512 shadow

There doesn’t appear to be any difference to me between Group #1’s policy and the default. Assuming that’s not intentional, I believe the above should work if you do need all 3 to be different.

Also: This solution assumes that group1 & group2 membership is mutually exclusive. If someone is in both groups, group1 takes precedence.