Why don't you enter the password history at the same time, or this is just a spelling mistake in the STIG? (it's hard to believe that the second, but it happens.)
CodePudding user response:
Password - auth and system - auth files will not be any process or service used directly. Instead, they use the include directive is pulled into the other PAM configuration file. The default installation is the only one who really care about the password history in the passwd command. It has its own PAM module, it only introduced the system - auth:/root @ rhel7 ~ # grep include/etc/PAM. D/passwd
Auth include system - auth
The account include system - auth
Suggest both use account lockout, because the SSHD service will introduce the password authentication. I'm checking in the RHEL seven on the system, the system - auth is pulled into the PAM file, for the user directly interacts with the content of the (login and password change, Mr Su and sudo, etc.), at the same time to extract the password authentication function by running like SSHD and crond daemon.
If need be, can be set password in the password - auth history added to pam_unix. So in order to maintain consistency. It won't hurt anything, but it won't do anything useful.
CodePudding user response:
Password auth - this file is referenced SSHD remote login, system - auth login local references,