# TLDR
After applying CIS server level 1 or 2 on Ubuntu 22.04 Jammy Jellyfish the command `passwd` fails with the error "passwd: Module is unknown"
# Workaround/fix
Install `libpam-pwquality` using
```
sudo apt install libpam-pwquality
```
**keep your currently-installed version of `/etc/security/pwquality.conf` and Do not override local changes**
# Reproduction
## Image Info
```
ubuntu@CIS-01:~$ uname -a
Linux CIS-01 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@CIS-01:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
```
## Steps to reproduce
On a fresh Ubuntu 22.04 Jammy Jellyfish install attach the server to Ubuntu Pro
```
sudo pro attach <TOKEN>
```
Enable `usg`
```
sudo pro enable usg
```
Install the `usg` tool
```
sudo apt install usg
```
Audit the system with `cis_level1_server`
```
sudo usg audit cis_level1_server
```
Generate a tailoring file:
```
sudo usg generate-tailoring cis_level1_server cis_level1_server-tailor-config.xml
```
Generate the fix script:
```
sudo usg generate-fix --output cis_level1_server-fix_script.sh --tailoring-file cis_level1_server-tailor-config.xml
```
Run the fix script on a test server.
```
sudo bash cis_level1_server-fix_script.sh
```
Reboot to finish applying the fixes
```
sudo reboot
```
Log back into the machine. Then try to change `root`'s password and `ubuntu`' password
```
ubuntu@CIS-01:~$ sudo passwd
passwd: Module is unknown
passwd: password unchanged
ubuntu@CIS-01:~$ sudo passwd root
passwd: Module is unknown
passwd: password unchanged
ubuntu@CIS-01:~$ sudo -i
root@CIS-01:~# passwd
passwd: Module is unknown
passwd: password unchanged
```
Inspecting the file `/etc/pam.d/common-password` on the machine, the following diff from it and a fresh image:
```
diff common-password-fresh /etc/pam.d/common-password
```
output
```
25c25
< password [success=1 default=ignore] pam_unix.so obscure yescrypt
---
> password [success=1 default=ignore] pam_unix.so obscure yescrypt remember=5
27c27
< password requisite pam_deny.so
---
> password requisite pam_deny.so
31c31
< password required pam_permit.so
---
> password required pam_permit.so
34c34
<
---
> password requisite pam_pwquality.so retry=3
```
looking at `/var/log/auth.log` it looks like the module isn't there
```
May 7 11:17:01 CIS-01 CRON[1691]: PAM unable to dlopen(pam_pwquality.so): /lib/security/pam_pwquality.so: cannot open shared object file: No such file or directory
May 7 11:17:01 CIS-01 CRON[1691]: PAM adding faulty module: pam_pwquality.so
```
Double checking
```
ls /lib/x86_64-linux-gnu/security/ | grep "pam_pwquality"
```
it's not there. Looking at
```
sudo apt-cache policy libpam-pwquality
```
it's not installed
```
libpam-pwquality:
Installed: (none)
Candidate: 1.4.4-1build2
Version table:
1.4.4-1build2 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
```
Installing the package
```
sudo apt install libpam-pwquality
```
**keep your currently-installed version of `/etc/security/pwquality.conf` and Do not override local changes**
Once it is installed changing passwords works fine.
```
ubuntu@CIS-01:~$ sudo passwd root
New password:
Retype new password:
passwd: password updated successfully
```
# Suggested Fix
Have the USG tool install the `libpam-pwquality` package while hardening.
Hi Jaimes, thanks for reporting this bug.
Indeed the hardening scripts should install libpam-pwquality if not present.
That said, I can't reproduce this on clean server or desktop installations of Ubuntu 22.04.
Could you provide more details about your setup? Custom image? Container?