It seems like if the line: 'password required pam_pwhistory.so remember=5'
is added before the pam_unix line in /etc/pam.d/common-password everything works as expected because the new password now won't match the "old" password that was already in the shadow file (which is what happens if pam_pwhistory line is set after pam_unix). The problem is that the CIS tooling for Ubuntu seems to be adding this line at the end of the file hence causing the issue. Do we need to modify this bug in any way to ensure the CIS implementation is amended/fixed as needed? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Guide: In Progress Status in pam package in Ubuntu: New Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: ----------- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd64 1:2.32-1 amd64 POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd64 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64 245.4-4ubuntu3.15 amd64 system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
