Use PAM In Chpasswd Newusers
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary 
Enable PAM (Pluggable Authentication Modules) support for the chpasswd and newusers utilities. This ensures that these tools follow the system-wide authentication and password policies (such as password complexity, history, and auditing) defined in the Fedora PAM stack.
Owner
- Name: [[User:Ipedrosa| Iker Pedrosa]]
- Email: ipedrosa@redhat.com
Detailed Description
Currently, the chpasswd and newusers binaries (provided by the shadow-utils package) update passwords directly without interacting with PAM. This means they can bypass security constraints defined in /etc/pam.d/system-auth, such as:
- Password quality requirements (
pam_pwquality). - Password history (
pam_pwhistory). - Account locking/unlocking logic.
- Centralized logging and auditing of password changes.
This proposal aims to modify these utilities to initialize a PAM session, allowing them to be “good citizens” within the Fedora security ecosystem and ensuring that administrative bulk updates respect the same rules as thepasswdcommand.
This change addresses the issue reported in 2283963 – chpasswd enable the use of PAM
Feedback
N/A
Benefit to Fedora
- Consistency: centralizes password policy enforcement. Administrators can be sure that policies set in PAM apply when using bulk update tools.
- Security: prevents the accidental setting of weak passwords via automation scripts that use
chpasswd. - Auditing: provides better traceability of password changes through standard PAM logging.
Scope
- Proposal owners: modify
shadow-utilsdist-git to enable PAM support forchpasswdandnewusers. Provide and package the corresponding PAM service files:/etc/pam.d/chpasswdand/etc/pam.d/newusers. Probably basing them on the existingpasswdstack. - Other developers: N/A
- Release engineering: N/A
- Policies and guidelines: N/A
- Trademark approval: N/A
- Alignment with the Fedora Strategy: N/A
Upgrade/compatibility impact
Minimal. Scripts that rely on setting passwords that violate current PAM policies might fail (which is the intended security behavior). Administrators might need to adjust their PAM configurations if they want specific “relaxed” rules for these tools.
Early Testing (Optional)
N/A
How To Test
No special hardware or configuration is required to test this change.
Install the updated shadow-utils package.
Define a strict password policy in /etc/security/pwquality.conf (e.g., minlen = 20).
Attempt to change a password using echo "user:short" | chpasswd.
Expected result: The command should fail, citing that the password does not meet the complexity requirements.
User Experience
End-users won’t notice a change. System administrators will have a more robust and predictable environment where security policies are enforced consistently across all tools.
Dependencies
This is an update to shadow-utils package and there are no external dependencies
Contingency Plan
- Contingency mechanism: revert the changes in
shadow-utilsto the previous behaviour - Contingency deadline: Beta Freeze.
- Blocks release? No
Documentation
No documentation update.
Release Notes
The chpasswd and newusers utilities now support PAM. This ensures that bulk password updates and user creations respect system-wide password policies, such as complexity and history requirements.
Last edited by @alking 2026-03-25T19:17:08Z
Last edited by @alking 2026-03-25T19:17:08Z
instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.