Wiki: https://fedoraproject.org/wiki/Changes/UsePAMInChpasswdNewusers
Discussion Thread: https://discussion.fedoraproject.org/t/184241
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Enable PAM (Pluggable Authentication Modules) support for the `chpasswd` and `newusers` utilities. This ensures that these tools follow the system-wide authentication and password policies (such as password complexity, history, and auditing) defined in the Fedora PAM stack.
== Owner ==
* Name: [[User:Ipedrosa| Iker Pedrosa]]
* Email: <ipedrosa@redhat.com>
== Detailed Description ==
Currently, the `chpasswd` and `newusers` binaries (provided by the `shadow-utils` package) update passwords directly without interacting with PAM. This means they can bypass security constraints defined in `/etc/pam.d/system-auth`, such as:
* Password quality requirements (`pam_pwquality`).
* Password history (`pam_pwhistory`).
* Account locking/unlocking logic.
* Centralized logging and auditing of password changes.
This proposal aims to modify these utilities to initialize a PAM session, allowing them to be "good citizens" within the Fedora security ecosystem and ensuring that administrative bulk updates respect the same rules as the `passwd` command.
This change addresses the issue reported in https://bugzilla.redhat.com/show_bug.cgi?id=2283963
== Feedback ==
N/A
== Benefit to Fedora ==
* Consistency: centralizes password policy enforcement. Administrators can be sure that policies set in PAM apply when using bulk update tools.
* Security: prevents the accidental setting of weak passwords via automation scripts that use `chpasswd`.
* Auditing: provides better traceability of password changes through standard PAM logging.
== Scope ==
* Proposal owners: modify `shadow-utils` dist-git to enable PAM support for `chpasswd` and `newusers`. Provide and package the corresponding PAM service files: `/etc/pam.d/chpasswd` and `/etc/pam.d/newusers`. Probably basing them on the existing `passwd` stack.
* Other developers: N/A
* Release engineering: N/A
* Policies and guidelines: N/A
* Trademark approval: N/A
* Alignment with the Fedora Strategy: N/A
== Upgrade/compatibility impact ==
Minimal. Scripts that rely on setting passwords that violate current PAM policies might fail (which is the intended security behavior). Administrators might need to adjust their PAM configurations if they want specific "relaxed" rules for these tools.
== Early Testing (Optional) ==
N/A
== How To Test ==
No special hardware or configuration is required to test this change.
# Install the updated `shadow-utils` package.
# Define a strict password policy in `/etc/security/pwquality.conf` (e.g., `minlen = 20`).
# Attempt to change a password using `echo "user:short" | chpasswd`.
# Expected result: The command should fail, citing that the password does not meet the complexity requirements.
== User Experience ==
End-users won't notice a change. System administrators will have a more robust and predictable environment where security policies are enforced consistently across all tools.
== Dependencies ==
This is an update to `shadow-utils` package and there are no external dependencies
== Contingency Plan ==
* Contingency mechanism: revert the changes in `shadow-utils` to the previous behaviour
* Contingency deadline: Beta Freeze.
* Blocks release? No
== Documentation ==
No documentation update.
== Release Notes ==
The `chpasswd` and `newusers` utilities now support PAM. This ensures that bulk password updates and user creations respect system-wide password policies, such as complexity and history requirements.
Discussion Thread: https://discussion.fedoraproject.org/t/184241
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Enable PAM (Pluggable Authentication Modules) support for the `chpasswd` and `newusers` utilities. This ensures that these tools follow the system-wide authentication and password policies (such as password complexity, history, and auditing) defined in the Fedora PAM stack.
== Owner ==
* Name: [[User:Ipedrosa| Iker Pedrosa]]
* Email: <ipedrosa@redhat.com>
== Detailed Description ==
Currently, the `chpasswd` and `newusers` binaries (provided by the `shadow-utils` package) update passwords directly without interacting with PAM. This means they can bypass security constraints defined in `/etc/pam.d/system-auth`, such as:
* Password quality requirements (`pam_pwquality`).
* Password history (`pam_pwhistory`).
* Account locking/unlocking logic.
* Centralized logging and auditing of password changes.
This proposal aims to modify these utilities to initialize a PAM session, allowing them to be "good citizens" within the Fedora security ecosystem and ensuring that administrative bulk updates respect the same rules as the `passwd` command.
This change addresses the issue reported in https://bugzilla.redhat.com/show_bug.cgi?id=2283963
== Feedback ==
N/A
== Benefit to Fedora ==
* Consistency: centralizes password policy enforcement. Administrators can be sure that policies set in PAM apply when using bulk update tools.
* Security: prevents the accidental setting of weak passwords via automation scripts that use `chpasswd`.
* Auditing: provides better traceability of password changes through standard PAM logging.
== Scope ==
* Proposal owners: modify `shadow-utils` dist-git to enable PAM support for `chpasswd` and `newusers`. Provide and package the corresponding PAM service files: `/etc/pam.d/chpasswd` and `/etc/pam.d/newusers`. Probably basing them on the existing `passwd` stack.
* Other developers: N/A
* Release engineering: N/A
* Policies and guidelines: N/A
* Trademark approval: N/A
* Alignment with the Fedora Strategy: N/A
== Upgrade/compatibility impact ==
Minimal. Scripts that rely on setting passwords that violate current PAM policies might fail (which is the intended security behavior). Administrators might need to adjust their PAM configurations if they want specific "relaxed" rules for these tools.
== Early Testing (Optional) ==
N/A
== How To Test ==
No special hardware or configuration is required to test this change.
# Install the updated `shadow-utils` package.
# Define a strict password policy in `/etc/security/pwquality.conf` (e.g., `minlen = 20`).
# Attempt to change a password using `echo "user:short" | chpasswd`.
# Expected result: The command should fail, citing that the password does not meet the complexity requirements.
== User Experience ==
End-users won't notice a change. System administrators will have a more robust and predictable environment where security policies are enforced consistently across all tools.
== Dependencies ==
This is an update to `shadow-utils` package and there are no external dependencies
== Contingency Plan ==
* Contingency mechanism: revert the changes in `shadow-utils` to the previous behaviour
* Contingency deadline: Beta Freeze.
* Blocks release? No
== Documentation ==
No documentation update.
== Release Notes ==
The `chpasswd` and `newusers` utilities now support PAM. This ensures that bulk password updates and user creations respect system-wide password policies, such as complexity and history requirements.
No comments:
Post a Comment