From deaf5b76830a0014102af44dbfb253fdb6672003 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Sun, 1 Dec 2024 14:15:17 +0000
Subject: [PATCH 1/6] Create bash_pam_pwquality_enable macro

---
 shared/macros/10-bash.jinja | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 016b5b72c9a..6dda526d5de 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -847,6 +847,28 @@ fi
 {{%- endmacro -%}}
 
 
+{{#
+    Enable pam_pwquality.so PAM module by using pam-auth-update.
+    This option is only recommended when pam-auth-update tool is available for the system.
+#}}
+{{%- macro bash_pam_pwquality_enable() -%}}
+conf_name=cac_pwquality
+if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then
+    cat << EOF > /usr/share/pam-configs/"$conf_name"
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1025
+Conflicts: cracklib, pwquality
+Password-Type: Primary
+Password:
+    requisite                   pam_pwquality.so
+EOF
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{%- endmacro -%}}
+
+
 {{#
     Validate an authselect custom profile integrity and ensures the correct file path is defined
     in the "PAM_FILE_PATH" variable. The macros which change PAM files are the same regardless of

From 1e1cb20b9e944f9ac7d72086b86db24273771c2d Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Sun, 1 Dec 2024 14:19:31 +0000
Subject: [PATCH 2/6] Create bash_pam_pwquality_parameter_value macro

---
 shared/macros/10-bash.jinja | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 6dda526d5de..f1e3ccc97b3 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1074,6 +1074,38 @@ fi
 {{%- endmacro -%}}
 
 
+{{#
+    Sets PAM pwquality module options and values. The module argument is not removed from pam files
+    since it is not inserted there in Ubuntu case.
+    It also assume pam_pwquality.so is added as required module for account.
+
+:param option: pwquality option eg. retry, minlen, dcredit
+:type option: str
+:param value: value of option
+:type value: str
+
+#}}
+{{%- macro bash_pam_pwquality_parameter_value(option, value='') -%}}
+PWQUALITY_CONF="/etc/security/pwquality.conf"
+    {{%- if value == '' %}}
+    regex="^\s*{{{ option }}}"
+    line="{{{ option }}}"
+    {{%- else %}}
+    regex="^\s*{{{ option }}}\s*="
+    line="{{{ option }}} = {{{ value }}}"
+    {{%- endif %}}
+    if ! grep -q $regex $PWQUALITY_CONF; then
+        echo $line >> $PWQUALITY_CONF
+    {{%- if value == '' %}}
+    fi
+    {{%- else %}}
+    else
+        sed -i --follow-symlinks 's|^\s*\({{{ option }}}\s*=\s*\)\(\S\+\)|\1'"{{{ value }}}"'|g' $PWQUALITY_CONF
+    fi
+    {{%- endif %}}
+{{%- endmacro -%}}
+
+
 {{#
     Print a message to stderr and exit the shell
 

From bb219fc6e32c5147f815f36ed42bae17b4486dd1 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Sun, 1 Dec 2024 14:20:52 +0000
Subject: [PATCH 3/6] Use the new macro to update the
 accounts_password_pam_retry remediation

---
 .../accounts_password_pam_retry/bash/ubuntu.sh             | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh
index 7491f465d7c..a0e6201f168 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh
@@ -2,4 +2,9 @@
 
 {{{ bash_instantiate_variables("var_password_pam_retry") }}}
 
-{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', 'retry', "$var_password_pam_retry", "$var_password_pam_retry") }}}
+{{{ bash_pam_pwquality_enable() }}}
+PAM_FILE_PATH=/usr/share/pam-configs/cac_pwquality
+if grep -qE 'pam_pwquality\.so.*retry=[^[:space:]]' "$PAM_FILE_PATH"; then
+    sed -i -E '/pam_pwquality\.so/ s/\bretry=[^[:space:]]*\b ?//' "$PAM_FILE_PATH"
+fi
+{{{ bash_pam_pwquality_parameter_value('retry', "$var_password_pam_retry") }}}

From d0c1d87c802a3206c84230269624712fe40a6870 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Sun, 1 Dec 2024 15:16:39 +0000
Subject: [PATCH 4/6] Update tests of accounts_password_pam_retry

---
 .../accounts_password_pam_retry/tests/common.sh   |  3 +++
 .../tests/correct_value.pass.sh                   | 14 ++++++++++++++
 .../tests/wrong_value.fail.sh                     | 15 +++++++++++++++
 3 files changed, 32 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
index e6e6619b9a7..517cb8c3ed5 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
@@ -15,6 +15,9 @@ for file in ${configuration_files[@]}; do
 		"/etc/authselect/custom/testingProfile/$file"
 done
 authselect select --force custom/testingProfile
+{{% elif 'ubuntu' in product %}}
+rm -f /usr/share/pam-configs/*pwquality
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 for file in ${configuration_files[@]}; do
 	sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh
index 51e4ad0062d..09fa74127c3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh
@@ -4,6 +4,19 @@
 
 source common.sh
 
+{{% if 'ubuntu' in product %}}
+cat << EOF > /usr/share/pam-configs/pwquality
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Password-Type: Primary
+Password:
+    requisite                   pam_pwquality.so retry=3
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
 for file in ${configuration_files[@]}; do
 {{{ bash_ensure_pam_module_option('/etc/pam.d/$file',
                                    'password',
@@ -13,3 +26,4 @@ for file in ${configuration_files[@]}; do
 								   '3',
 								   '^\s*account') }}}
 done
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh
index 5d2d908e8ac..a31d2849880 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh
@@ -4,6 +4,19 @@
 
 source common.sh
 
+{{% if 'ubuntu' in product %}}
+cat << EOF > /usr/share/pam-configs/pwquality
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Password-Type: Primary
+Password:
+    requisite                   pam_pwquality.so retry=7
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
 for file in ${configuration_files[@]}; do
 {{{ bash_ensure_pam_module_option('/etc/pam.d/$file',
                                    'password',
@@ -13,3 +26,5 @@ for file in ${configuration_files[@]}; do
 								   '7',
 								   '^\s*account') }}}
 done
+{{% endif %}}
+

From 55fff1fe8535aa5696cce5479a156794b7123f62 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Fri, 6 Dec 2024 15:48:01 +0000
Subject: [PATCH 5/6] Only delete the default pwquality config file

---
 .../accounts_password_pam_retry/tests/common.sh                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
index 517cb8c3ed5..02bd487048c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
@@ -16,7 +16,7 @@ for file in ${configuration_files[@]}; do
 done
 authselect select --force custom/testingProfile
 {{% elif 'ubuntu' in product %}}
-rm -f /usr/share/pam-configs/*pwquality
+rm -f /usr/share/pam-configs/pwquality
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 for file in ${configuration_files[@]}; do

From 73b8561617f4b523bfc7538a7016b94466e3c899 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Fri, 6 Dec 2024 15:49:08 +0000
Subject: [PATCH 6/6] Remove duplicated configuration

---
 .../accounts_password_pam_retry/bash/ubuntu.sh                | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh
index a0e6201f168..66ef54e7281 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh
@@ -3,8 +3,4 @@
 {{{ bash_instantiate_variables("var_password_pam_retry") }}}
 
 {{{ bash_pam_pwquality_enable() }}}
-PAM_FILE_PATH=/usr/share/pam-configs/cac_pwquality
-if grep -qE 'pam_pwquality\.so.*retry=[^[:space:]]' "$PAM_FILE_PATH"; then
-    sed -i -E '/pam_pwquality\.so/ s/\bretry=[^[:space:]]*\b ?//' "$PAM_FILE_PATH"
-fi
 {{{ bash_pam_pwquality_parameter_value('retry', "$var_password_pam_retry") }}}