From dadf18aa28778afbf87eae93c4755e482c51b179 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 2 Dec 2024 16:19:51 +0000
Subject: [PATCH 01/18] Create bash_pam_unix_enable macro

---
 shared/macros/10-bash.jinja | 39 +++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index aed5e6451a3..786bc316d5e 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -901,6 +901,45 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{%- endmacro -%}}
 
 
+{{#
+    Enable pam_unix.so PAM module by using pam-auth-update.
+    This option is only recommended when pam-auth-update tool is available for the system.
+#}}
+{{%- macro bash_pam_unix_enable() -%}}
+conf_name=cac_unix
+if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then
+    cat << EOF > /usr/share/pam-configs/"$conf_name"
+Name: Unix authentication
+Default: yes
+Priority: 257
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+EOF
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{%- endmacro -%}}
+
+
 {{#
     Validate an authselect custom profile integrity and ensures the correct file path is defined
     in the "PAM_FILE_PATH" variable. The macros which change PAM files are the same regardless of

From 1f71398cb03ed681e4cd0c4456a46ca05dcc1f29 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 2 Dec 2024 16:22:13 +0000
Subject: [PATCH 02/18] Use pam-auth-update to remediate the pam_unix related
 rules

---
 .../bash/shared.sh                            | 16 +++++++--
 .../bash/shared.sh                            | 36 ++++++++++++++++---
 .../no_empty_passwords/bash/shared.sh         |  5 +--
 3 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index fe43d9d396f..d6b8ed4d34e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -2,16 +2,28 @@
 
 {{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
 
-{{% if "debian" in product or "ubuntu" in product or "sle12" in product %}}
+{{% if "debian" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+{{% elif "ubuntu" in product %}}
+{{%- set accounts_password_pam_unix_remember_file = '/usr/share/pam-configs/unix' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
 
-{{% if "debian" in product or "ubuntu" in product %}}
+{{% if "debian" in product %}}
 
 {{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
 
+{{% elif "ubuntu" in product %}}
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_unix_remember"'/g
+    }
+}' "$accounts_password_pam_unix_remember_file"
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 
 {{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
index 18f72ed0e13..977e62cd3ea 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
@@ -6,18 +6,30 @@
 PAM_FILE_PATH="/etc/pam.d/common-password"
 CONTROL="required"
 {{%- elif 'ubuntu' in product -%}}
-PAM_FILE_PATH="/etc/pam.d/common-password"
+{{{ bash_pam_unix_enable() }}}
+PAM_FILE_PATH=/usr/share/pam-configs/cac_unix
 {{%- else -%}}
 PAM_FILE_PATH="/etc/pam.d/system-auth"
 CONTROL="sufficient"
 {{%- endif %}}
 
 {{% if 'ubuntu' in product -%}}
-# Can't use macro bash_ensure_pam_module_configuration because the control
-# contains special characters and is not static ([success=N default=ignore)
-if ! grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
-  sed -i -E --follow-symlinks "/\s*password\s+.*\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
+if ! grep -qzP "Password:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
+fi
+
+if ! grep -qzP "Password-Initial:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
 fi
+
 {{%- else -%}}
 {{{ bash_ensure_pam_module_configuration("$PAM_FILE_PATH", 'password', "$CONTROL", 'pam_unix.so', "$var_password_hashing_algorithm_pam", '', '') }}}
 {{%- endif %}}
@@ -27,8 +39,22 @@ declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blow
 
 for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
   if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+    {{% if 'ubuntu' in product -%}}
+      sed -i -E '/^Password:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      DEBIAN_FRONTEND=noninteractive pam-auth-update
+    {{%- else -%}}
     if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$PAM_FILE_PATH"; then
       {{{ bash_remove_pam_module_option_configuration("$PAM_FILE_PATH", 'password', ".*", 'pam_unix.so', "$hash_option") }}}
     fi
+    {{%- endif %}}
   fi
 done
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
index 88999830909..a52ca717c84 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -11,8 +11,9 @@ for FILE in ${NULLOK_FILES}; do
    sed --follow-symlinks -i 's/\<nullok\>//g' ${FILE}
 done
 {{% elif 'ubuntu' in product %}}
-FILE="/etc/pam.d/common-password"
-sed -i 's/\(.*pam_unix\.so.*\)\s\<nullok\>\(.*\)/\1\2/g' ${FILE}
+{{{ bash_pam_unix_enable() }}}
+sed --follow-symlinks -i 's/\<nullok\>//g' /usr/share/pam-configs/cac_unix
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then
     {{{ bash_enable_authselect_feature('without-nullok') }}}

From 7faac26f0309783f709d240604609b3c68d312d9 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 3 Dec 2024 12:43:44 +0000
Subject: [PATCH 03/18] correct the pam-auth-update conf path

---
 .../accounts_password_pam_unix_remember/bash/shared.sh          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index d6b8ed4d34e..913e1f51d68 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -5,7 +5,7 @@
 {{% if "debian" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% elif "ubuntu" in product %}}
-{{%- set accounts_password_pam_unix_remember_file = '/usr/share/pam-configs/unix' -%}}
+{{%- set accounts_password_pam_unix_remember_file = '/usr/share/pam-configs/cac_unix' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}

From 280ee4362b675484c68db9d8fa7547c686335f32 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 3 Dec 2024 16:24:24 +0000
Subject: [PATCH 04/18] Use bash variable instead of jinja variable

---
 .../bash/shared.sh                                    | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index 913e1f51d68..be98288d7a4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -5,7 +5,7 @@
 {{% if "debian" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% elif "ubuntu" in product %}}
-{{%- set accounts_password_pam_unix_remember_file = '/usr/share/pam-configs/cac_unix' -%}}
+config_file="/usr/share/pam-configs/cac_unix"
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
@@ -21,7 +21,14 @@ sed -i -E '/^Password:/,/^[^[:space:]]/ {
         s/\s*remember=[^[:space:]]*//g
         s/$/ remember='"$var_password_pam_unix_remember"'/g
     }
-}' "$accounts_password_pam_unix_remember_file"
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_unix_remember"'/g
+    }
+}' "$config_file"
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}

From 34c80d836dfca28cc45b0e3da15af783e2894dc1 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 3 Dec 2024 16:25:42 +0000
Subject: [PATCH 05/18] Use pam-auth-update to fix the
 accounts_password_pam_unix_remember test

---
 .../tests/ubuntu_arg_missing.fail.sh          | 31 ++++++++++++++++---
 .../tests/ubuntu_correct_value.pass.sh        | 20 ++++++++++--
 .../tests/ubuntu_wrong_value.fail.sh          | 30 ++++++++++++++++--
 3 files changed, 73 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
index db7fb6f2ea7..4c2c430a011 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
@@ -1,7 +1,30 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-config_file=/etc/pam.d/common-password
-if grep -q "pam_unix\.so.*remember=" "${config_file}" ; then
-    sed -i "/pam_unix\.so/ s/\bremember=\S*//" "${config_file}"
-fi
+cat << EOF > /usr/share/pam-configs/unix
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
index d66fdd55278..9c3c606b024 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
@@ -2,6 +2,22 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/etc/pam.d/common-password
+config_file=/usr/share/pam-configs/cac_unix
 remember_cnt=5
-sed -i "s/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=${remember_cnt} rounds=5000/" "${config_file}"
+
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$remember_cnt"'/g
+    }
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$remember_cnt"'/g
+    }
+}' "$config_file"
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
index 2fe578bfcfe..4295c4dc27e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
@@ -2,7 +2,33 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/etc/pam.d/common-password
+config_file=/usr/share/pam-configs/unix
 remember_cnt=3
-sed -i "s/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=${remember_cnt} rounds=5000/" "${config_file}"
 
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=$remember_cnt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update

From 84a9c942109f23dd1f2011c6a349a8352a56ce35 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 3 Dec 2024 16:26:20 +0000
Subject: [PATCH 06/18] Use pam-auth-update to fix the
 set_password_hashing_algorithm_systemauth tests

---
 .../tests/commented_value.fail.sh             | 28 +++++++++++++++--
 .../tests/correct.pass.sh                     | 31 ++++++++++++++++---
 .../tests/missing.fail.sh                     | 27 +++++++++++++++-
 3 files changed, 78 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
index 40adbb8d548..60e5a07a877 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
@@ -3,5 +3,29 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 # remediation = none
 
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' /etc/pam.d/common-password
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ # sha512/' /etc/pam.d/common-password
+cat << EOF > /usr/share/pam-configs/unix
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass # sha512
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure # sha512
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
index 23e5eb547b8..67ca0ca7615 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
@@ -3,11 +3,32 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-pam_file="/etc/pam.d/common-password"
-
-if ! grep -q "^\s*password.*pam_unix\.so.*sha512" "$pam_file"; then
-	sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ sha512/' "$pam_file"
-fi
+cat << EOF > /usr/share/pam-configs/unix
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass sha512
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure sha512
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 pam_file="/etc/pam.d/system-auth"
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
index 2bb932df8c0..3787dd5bbd9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
@@ -3,7 +3,32 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/common-password"
+cat << EOF > /usr/share/pam-configs/unix
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/system-auth"
 {{% endif %}}

From 0879b3eae735c3fbb0fbf0a6d046990437b2b670 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 3 Dec 2024 17:05:37 +0000
Subject: [PATCH 07/18] Make oval of set_password_hashing_algorithm_systemauth
 to also exclude the comment out hash

---
 .../set_password_hashing_algorithm_systemauth/oval/shared.xml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
index c599abe49f5..d55c83d218e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -18,7 +18,7 @@
   {{% endif %}}
 
   {{% set pam_unix_algorithms = "(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)" %}}
-  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + ".*" + pam_unix_algorithms + ").*" + pam_unix_algorithms + ".*$" %}}
+  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + "[^#]*" + pam_unix_algorithms + ").*" + pam_unix_algorithms + ".*$" %}}
 
   <!--
     In addition to the pam file, what usually differ between products are the controls in the

From 1436411777c0d5cf050daf8590f19e3f81dcc2a6 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 3 Dec 2024 17:37:50 +0000
Subject: [PATCH 08/18] Fix more test

---
 .../tests/wrong_value_concat.fail.sh          | 28 +++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
index f59622a555a..f9856a6c500 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
@@ -2,5 +2,29 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_hashing_algorithm_pam=sha512
 
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' /etc/pam.d/common-password
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ sha5122/' /etc/pam.d/common-password
+cat << EOF > /usr/share/pam-configs/unix
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass sha5122
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure sha5122
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update

From 0ba830273921fa20534ec5cf6eb93dde356ce216 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 3 Dec 2024 17:45:00 +0000
Subject: [PATCH 09/18] Add word boundary for hash algorithm

---
 .../set_password_hashing_algorithm_systemauth/oval/shared.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
index d55c83d218e..3e90e2211cd 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -17,8 +17,8 @@
     {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+" %}}
   {{% endif %}}
 
-  {{% set pam_unix_algorithms = "(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)" %}}
-  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + "[^#]*" + pam_unix_algorithms + ").*" + pam_unix_algorithms + ".*$" %}}
+  {{% set pam_unix_algorithms = "\\b(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)\\b" %}}
+  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + "[^#]*" + pam_unix_algorithms + ")[^#]*" + pam_unix_algorithms + ".*$" %}}
 
   <!--
     In addition to the pam file, what usually differ between products are the controls in the

From 446f44e9298a0c6c800450c60e5b9d9a152032f2 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 11 Dec 2024 18:27:27 +0000
Subject: [PATCH 10/18] Use {{{ pam_file }}} as file path

---
 .../oval/shared.xml                           | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
index 3e90e2211cd..63f200056ad 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -1,22 +1,22 @@
+{{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
+  {{% set pam_file = "/etc/pam.d/common-password" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+" %}}
+{{% elif 'ubuntu' in product %}}
+  {{% set pam_file = "/etc/pam.d/common-password" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+" %}}
+{{% else %}}
+  {{% set pam_file = "/etc/pam.d/system-auth" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+" %}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="2">
-    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
+    {{{ oval_metadata("The password hashing algorithm should be set correctly in {{{ pam_file }}}.") }}}
     <criteria operator="AND">
       <criterion test_ref="test_pam_unix_hashing_algorithm_systemauth" />
     </criteria>
   </definition>
 
-  {{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
-    {{% set pam_file = "/etc/pam.d/common-password" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+" %}}
-  {{% elif 'ubuntu' in product %}}
-    {{% set pam_file = "/etc/pam.d/common-password" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+" %}}
-  {{% else %}}
-    {{% set pam_file = "/etc/pam.d/system-auth" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+" %}}
-  {{% endif %}}
-
   {{% set pam_unix_algorithms = "\\b(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)\\b" %}}
   {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + "[^#]*" + pam_unix_algorithms + ")[^#]*" + pam_unix_algorithms + ".*$" %}}
 
@@ -37,13 +37,13 @@
 
   <ind:textfilecontent54_test id="test_pam_unix_hashing_algorithm_systemauth" version="2"
     check="all" check_existence="at_least_one_exists"
-    comment="check if pam_unix.so hashing algorithm option is correct and specified only once in /etc/pam.d/system-auth">
+    comment="check if pam_unix.so hashing algorithm option is correct and specified only once in {{{ pam_file }}}">
     <ind:object object_ref="object_pam_unix_hashing_algorithm_systemauth"/>
     <ind:state state_ref="state_pam_unix_hashing_algorithm_systemauth"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_pam_unix_hashing_algorithm_systemauth" version="1"
-    comment="only one hashing algorithm option for pam_unix.so is found in /etc/pam.d/system-auth">
+    comment="only one hashing algorithm option for pam_unix.so is found in {{{ pam_file }}}">
     <ind:filepath>{{{ pam_file }}}</ind:filepath>
     <ind:pattern operation="pattern match">{{{ hashing_pattern }}}</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>

From c067b760ae94ca400b6970bfc02384df83d1df09 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 11 Dec 2024 18:28:19 +0000
Subject: [PATCH 11/18] Only change password* section of configuration

---
 .../no_empty_passwords/bash/shared.sh              | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
index a52ca717c84..6b4e3104472 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -12,7 +12,19 @@ for FILE in ${NULLOK_FILES}; do
 done
 {{% elif 'ubuntu' in product %}}
 {{{ bash_pam_unix_enable() }}}
-sed --follow-symlinks -i 's/\<nullok\>//g' /usr/share/pam-configs/cac_unix
+config_file="/usr/share/pam-configs/unix"
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then

From 17e58f59681dcb0788f57f3c2e9988e3451599d8 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 11 Dec 2024 19:28:29 +0000
Subject: [PATCH 12/18] Stick to default configuration shipped by Ubuntu Avoid
 removing nullok

---
 shared/macros/10-bash.jinja | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 786bc316d5e..6ce9661c26f 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -915,24 +915,24 @@ Priority: 257
 Conflicts: unix
 Auth-Type: Primary
 Auth:
-        [success=end default=ignore]    pam_unix.so try_first_pass
+	[success=end default=ignore]	pam_unix.so nullok try_first_pass
 Auth-Initial:
-        [success=end default=ignore]    pam_unix.so
+	[success=end default=ignore]	pam_unix.so nullok
 Account-Type: Primary
 Account:
-        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
 Account-Initial:
-        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
 Session-Type: Additional
 Session:
-        required        pam_unix.so
+	required	pam_unix.so
 Session-Initial:
-        required        pam_unix.so
+	required	pam_unix.so
 Password-Type: Primary
 Password:
-        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
 Password-Initial:
-        [success=end default=ignore]    pam_unix.so obscure yescrypt
+	[success=end default=ignore]	pam_unix.so obscure yescrypt
 EOF
 fi
 

From 2b0a49980e7f951869b743772a422d529fe4f801 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 14:55:13 +0000
Subject: [PATCH 13/18] Check the existance and md5sum of unix configuration

---
 shared/macros/10-bash.jinja | 49 ++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 28 deletions(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 6ce9661c26f..ff0b19981bb 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -907,36 +907,29 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 #}}
 {{%- macro bash_pam_unix_enable() -%}}
 conf_name=cac_unix
-if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then
-    cat << EOF > /usr/share/pam-configs/"$conf_name"
-Name: Unix authentication
-Default: yes
-Priority: 257
-Conflicts: unix
-Auth-Type: Primary
-Auth:
-	[success=end default=ignore]	pam_unix.so nullok try_first_pass
-Auth-Initial:
-	[success=end default=ignore]	pam_unix.so nullok
-Account-Type: Primary
-Account:
-	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
-Account-Initial:
-	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
-Session-Type: Additional
-Session:
-	required	pam_unix.so
-Session-Initial:
-	required	pam_unix.so
-Password-Type: Primary
-Password:
-	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
-Password-Initial:
-	[success=end default=ignore]	pam_unix.so obscure yescrypt
-EOF
+conf_path="/usr/share/pam-configs/"
+remediate=false
+
+if [ ! -f "$conf_path"/"$conf_name" ]; then
+    if [ -f "$conf_path"/unix ]; then
+        if grep -q `md5sum "$conf_path"/unix | cut -d ' ' -f 1` /var/lib/dpkg/info/libpam-runtime.md5sums;then
+            cp "$conf_path/unix" "$conf_path/"$conf_name""
+            remediate=true
+        else
+            echo "Not remediating - checksum of $conf_path/unix does not match the original." >&2
+        fi
+    else
+        echo "Not remediating - $conf_path/unix does not exist" >&2
+    fi
+else
+    remediate=true
 fi
 
-DEBIAN_FRONTEND=noninteractive pam-auth-update
+if [ $remediate = "true" ]; then
+    sed '/Default: yes/a Priority: 257\
+Conflicts: unix' "$conf_path"/"$conf_name"
+    DEBIAN_FRONTEND=noninteractive pam-auth-update
+fi
 {{%- endmacro -%}}
 
 

From c96cfc5eac0816d43ab4409c8aee206f24db8013 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 16:12:59 +0000
Subject: [PATCH 14/18] Use $() substitution instead of ``

---
 shared/macros/10-bash.jinja | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index ff0b19981bb..f31eafeedfd 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -908,28 +908,22 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{%- macro bash_pam_unix_enable() -%}}
 conf_name=cac_unix
 conf_path="/usr/share/pam-configs/"
-remediate=false
 
 if [ ! -f "$conf_path"/"$conf_name" ]; then
     if [ -f "$conf_path"/unix ]; then
-        if grep -q `md5sum "$conf_path"/unix | cut -d ' ' -f 1` /var/lib/dpkg/info/libpam-runtime.md5sums;then
+        if grep -q $(md5sum "$conf_path"/unix | cut -d ' ' -f 1) /var/lib/dpkg/info/libpam-runtime.md5sums;then
             cp "$conf_path/unix" "$conf_path/"$conf_name""
-            remediate=true
+            sed '/Default: yes/a Priority: 257\
+Conflicts: unix' "$conf_path"/"$conf_name"
+            DEBIAN_FRONTEND=noninteractive pam-auth-update
         else
-            echo "Not remediating - checksum of $conf_path/unix does not match the original." >&2
+            echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2
         fi
     else
-        echo "Not remediating - $conf_path/unix does not exist" >&2
+        echo "Not applicable - $conf_path/unix does not exist" >&2
     fi
-else
-    remediate=true
 fi
 
-if [ $remediate = "true" ]; then
-    sed '/Default: yes/a Priority: 257\
-Conflicts: unix' "$conf_path"/"$conf_name"
-    DEBIAN_FRONTEND=noninteractive pam-auth-update
-fi
 {{%- endmacro -%}}
 
 

From 8675619fa33446fe4994adeb9f488e49efb2d695 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 16:14:21 +0000
Subject: [PATCH 15/18] Delete unix configuration after the common-password
 updated by pam-auth-update to avoid the not applicable case of
 bash_pam_unix_enable macro

---
 .../tests/ubuntu_arg_missing.fail.sh          |  4 +-
 .../tests/ubuntu_correct_value.pass.sh        | 42 ++++++++++++-------
 .../tests/ubuntu_wrong_value.fail.sh          |  3 +-
 .../tests/commented_value.fail.sh             |  4 +-
 .../tests/correct.pass.sh                     |  4 +-
 .../tests/missing.fail.sh                     |  4 +-
 .../tests/wrong_value_concat.fail.sh          |  4 +-
 shared/macros/10-bash.jinja                   |  2 +-
 8 files changed, 45 insertions(+), 22 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
index 4c2c430a011..a3398cfbbbc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -28,3 +29,4 @@ Password-Initial:
 EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
index 9c3c606b024..34ceea23b01 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
@@ -2,22 +2,34 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/usr/share/pam-configs/cac_unix
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=5
 
-{{{ bash_pam_unix_enable() }}}
-sed -i -E '/^Password:/,/^[^[:space:]]/ {
-    /pam_unix\.so/ {
-        s/\s*remember=[^[:space:]]*//g
-        s/$/ remember='"$remember_cnt"'/g
-    }
-}' "$config_file"
-
-sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
-    /pam_unix\.so/ {
-        s/\s*remember=[^[:space:]]*//g
-        s/$/ remember='"$remember_cnt"'/g
-    }
-}' "$config_file"
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=$remember_cnt
+EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
index 4295c4dc27e..50d807e2471 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
@@ -2,7 +2,7 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=3
 
 cat << EOF > "$config_file"
@@ -32,3 +32,4 @@ Password-Initial:
 EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm $config_file
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
index 60e5a07a877..12ebca41877 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
@@ -3,7 +3,8 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 # remediation = none
 
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -29,3 +30,4 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure # sha512
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
index 67ca0ca7615..2f3bdadc0fa 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
@@ -3,7 +3,8 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -29,6 +30,7 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure sha512
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 pam_file="/etc/pam.d/system-auth"
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
index 3787dd5bbd9..bc314099b7e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
@@ -3,7 +3,8 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -29,6 +30,7 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/system-auth"
 {{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
index f9856a6c500..383848c4c87 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
@@ -2,7 +2,8 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_hashing_algorithm_pam=sha512
 
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -28,3 +29,4 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure sha5122
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index f31eafeedfd..591dc2043d1 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -911,7 +911,7 @@ conf_path="/usr/share/pam-configs/"
 
 if [ ! -f "$conf_path"/"$conf_name" ]; then
     if [ -f "$conf_path"/unix ]; then
-        if grep -q $(md5sum "$conf_path"/unix | cut -d ' ' -f 1) /var/lib/dpkg/info/libpam-runtime.md5sums;then
+        if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
             cp "$conf_path/unix" "$conf_path/"$conf_name""
             sed '/Default: yes/a Priority: 257\
 Conflicts: unix' "$conf_path"/"$conf_name"

From f95eadaa81d6654e2fbe52e0f96d6e4be371853c Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 17:42:24 +0000
Subject: [PATCH 16/18] Fix para position

---
 shared/macros/10-bash.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 591dc2043d1..7a6f838d841 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -912,7 +912,7 @@ conf_path="/usr/share/pam-configs/"
 if [ ! -f "$conf_path"/"$conf_name" ]; then
     if [ -f "$conf_path"/unix ]; then
         if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
-            cp "$conf_path/unix" "$conf_path/"$conf_name""
+            cp "$conf_path"/unix "$conf_path"/"$conf_name"
             sed '/Default: yes/a Priority: 257\
 Conflicts: unix' "$conf_path"/"$conf_name"
             DEBIAN_FRONTEND=noninteractive pam-auth-update

From 8db82d4abeeb7391a12d5329e5565b584d2adf9f Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 18:44:43 +0000
Subject: [PATCH 17/18] Add replace flag

---
 shared/macros/10-bash.jinja | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 7a6f838d841..928f3f24d95 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -907,13 +907,13 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 #}}
 {{%- macro bash_pam_unix_enable() -%}}
 conf_name=cac_unix
-conf_path="/usr/share/pam-configs/"
+conf_path="/usr/share/pam-configs"
 
 if [ ! -f "$conf_path"/"$conf_name" ]; then
     if [ -f "$conf_path"/unix ]; then
         if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
             cp "$conf_path"/unix "$conf_path"/"$conf_name"
-            sed '/Default: yes/a Priority: 257\
+            sed -i '/Default: yes/a Priority: 257\
 Conflicts: unix' "$conf_path"/"$conf_name"
             DEBIAN_FRONTEND=noninteractive pam-auth-update
         else

From 4b4714b4879fa7c799fd4091f96af8cb721c8acd Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 17 Dec 2024 16:08:42 +0000
Subject: [PATCH 18/18] Correct the config_file name

---
 .../password_storage/no_empty_passwords/bash/shared.sh          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
index 6b4e3104472..9c097499f77 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -12,7 +12,7 @@ for FILE in ${NULLOK_FILES}; do
 done
 {{% elif 'ubuntu' in product %}}
 {{{ bash_pam_unix_enable() }}}
-config_file="/usr/share/pam-configs/unix"
+config_file="/usr/share/pam-configs/cac_unix"
 sed -i -E '/^Password:/,/^[^[:space:]]/ {
     /pam_unix\.so/ {
         s/\s*nullok//g