ANSSI profile configures unsupported password hashing algorithm on RHEL 8
vojtapolasek opened this issue · comments
Description of problem:
After applying the ANSSI BP028 High profile on RHEL 8, the passwd
command refuses to change the password and logs suggest that sha512 algorithm is not supported.
SCAP Security Guide Version:
master as of bec7734
Operating System Version:
RHEL 8
Steps to Reproduce:
- ./build_product rhel8
- upload the datastream to a VM running RHEL 8
- oscap xccdf eval --remediate --profile anssi_bp28_high ssg-rhel8-ds.xml
- passwd
- journalctl | tail
Actual Results:
Changing password for user root.
New password:
Retype new password:
passwd: Authentication token manipulation error
...
Apr 09 14:19:16 rhel8 passwd[23724]: pam_unix(passwd:chauthtok): Algo sha512 not supported by the crypto backend.
Apr 09 14:19:16 rhel8 passwd[23724]: pam_unix(passwd:chauthtok): crypt() failure or out of memory for password
Expected Results:
The password gets changed.
Additional Information/Debugging Steps:
The rule causing this problem is probably set_password_hashing_algorithm_systemauth.
This is concering, If true, there are other profiles we need to check on as well.
I can confirme this issue.
Redhat 8.10 after profile application passwords are stuck and if root password is weak, profile expire it and you can’t rescue him via chroot.
Hello, I investigated this a bit more and I found interesting things.
I confirm this happens on RHEL 8 but it DOES not happen on RHEL 9.
Then I found that the problematic lines are probably these:
/etc/authselect/system-auth:password sufficient pam_unix.so sha512 shadow nullok use_authtok rounds=11
/etc/authselect/password-auth:password sufficient pam_unix.so sha512 shadow nullok use_authtok rounds=11
Interesting is that the passwd command starts working again when I remove the rounds=11 part.
Update,
I update rounds=11 with the same value than oscap on redhat 8.8 : rounds=65536 for the both and all is OK now.
pam_unix.so
We can safely update this to use 65536 with sha512.