password history problem

Latest response

In a nutshell my problem is that not all password changes for (non-root) users are being added to the password history file.

I'm running RHEL6.1.  I am required to use the following system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_tally2.so deny=5 onerr=fail unlock_time=900
auth        required      pam_env.so
auth        required      pam_faillock.so authsucc deny=3 unlock_time=900 fail_interval=900
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
auth        required      pam_unix.so debug
auth       [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=5 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4
#password    sufficient    pam_pwhistory.so use_authtok remember=5 enforce_for_root
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

If a user logs in and uses "passwd" to change their password, I see the (encrypted) password added to the opasswd file.  Well and good.

The problem is that effectively all of my users have captive accounts and never see the command line.  Instead, when their password ages out they are prompted to change it before the application that they use is launched.  When their passwords are changed this way nothing is added to opasswd.

I've tried playing with the system-auth file (e.g. using pam_pwhistory, which is currently commented out) but no luck so far and I'm about out of ideas.

Would really really appreciate any and all suggestions!
 
 
 

Responses