diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index fe43d9d396f..be98288d7a4 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -2,16 +2,35 @@
 
 {{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
 
-{{% if "debian" in product or "ubuntu" in product or "sle12" in product %}}
+{{% if "debian" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+{{% elif "ubuntu" in product %}}
+config_file="/usr/share/pam-configs/cac_unix"
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
 
-{{% if "debian" in product or "ubuntu" in product %}}
+{{% if "debian" in product %}}
 
 {{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
 
+{{% elif "ubuntu" in product %}}
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_unix_remember"'/g
+    }
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_unix_remember"'/g
+    }
+}' "$config_file"
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 
 {{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
index db7fb6f2ea7..a3398cfbbbc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
@@ -1,7 +1,32 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-config_file=/etc/pam.d/common-password
-if grep -q "pam_unix\.so.*remember=" "${config_file}" ; then
-    sed -i "/pam_unix\.so/ s/\bremember=\S*//" "${config_file}"
-fi
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
index d66fdd55278..34ceea23b01 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
@@ -2,6 +2,34 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=5
-sed -i "s/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=${remember_cnt} rounds=5000/" "${config_file}"
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=$remember_cnt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
index 2fe578bfcfe..50d807e2471 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
@@ -2,7 +2,34 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=3
-sed -i "s/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=${remember_cnt} rounds=5000/" "${config_file}"
 
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=$remember_cnt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm $config_file
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
index 18f72ed0e13..977e62cd3ea 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
@@ -6,18 +6,30 @@
 PAM_FILE_PATH="/etc/pam.d/common-password"
 CONTROL="required"
 {{%- elif 'ubuntu' in product -%}}
-PAM_FILE_PATH="/etc/pam.d/common-password"
+{{{ bash_pam_unix_enable() }}}
+PAM_FILE_PATH=/usr/share/pam-configs/cac_unix
 {{%- else -%}}
 PAM_FILE_PATH="/etc/pam.d/system-auth"
 CONTROL="sufficient"
 {{%- endif %}}
 
 {{% if 'ubuntu' in product -%}}
-# Can't use macro bash_ensure_pam_module_configuration because the control
-# contains special characters and is not static ([success=N default=ignore)
-if ! grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
-  sed -i -E --follow-symlinks "/\s*password\s+.*\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
+if ! grep -qzP "Password:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
+fi
+
+if ! grep -qzP "Password-Initial:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
 fi
+
 {{%- else -%}}
 {{{ bash_ensure_pam_module_configuration("$PAM_FILE_PATH", 'password', "$CONTROL", 'pam_unix.so', "$var_password_hashing_algorithm_pam", '', '') }}}
 {{%- endif %}}
@@ -27,8 +39,22 @@ declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blow
 
 for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
   if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+    {{% if 'ubuntu' in product -%}}
+      sed -i -E '/^Password:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      DEBIAN_FRONTEND=noninteractive pam-auth-update
+    {{%- else -%}}
     if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$PAM_FILE_PATH"; then
       {{{ bash_remove_pam_module_option_configuration("$PAM_FILE_PATH", 'password', ".*", 'pam_unix.so', "$hash_option") }}}
     fi
+    {{%- endif %}}
   fi
 done
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
index c599abe49f5..63f200056ad 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -1,24 +1,24 @@
+{{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
+  {{% set pam_file = "/etc/pam.d/common-password" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+" %}}
+{{% elif 'ubuntu' in product %}}
+  {{% set pam_file = "/etc/pam.d/common-password" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+" %}}
+{{% else %}}
+  {{% set pam_file = "/etc/pam.d/system-auth" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+" %}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="2">
-    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
+    {{{ oval_metadata("The password hashing algorithm should be set correctly in {{{ pam_file }}}.") }}}
     <criteria operator="AND">
       <criterion test_ref="test_pam_unix_hashing_algorithm_systemauth" />
     </criteria>
   </definition>
 
-  {{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
-    {{% set pam_file = "/etc/pam.d/common-password" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+" %}}
-  {{% elif 'ubuntu' in product %}}
-    {{% set pam_file = "/etc/pam.d/common-password" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+" %}}
-  {{% else %}}
-    {{% set pam_file = "/etc/pam.d/system-auth" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+" %}}
-  {{% endif %}}
-
-  {{% set pam_unix_algorithms = "(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)" %}}
-  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + ".*" + pam_unix_algorithms + ").*" + pam_unix_algorithms + ".*$" %}}
+  {{% set pam_unix_algorithms = "\\b(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)\\b" %}}
+  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + "[^#]*" + pam_unix_algorithms + ")[^#]*" + pam_unix_algorithms + ".*$" %}}
 
   <!--
     In addition to the pam file, what usually differ between products are the controls in the
@@ -37,13 +37,13 @@
 
   <ind:textfilecontent54_test id="test_pam_unix_hashing_algorithm_systemauth" version="2"
     check="all" check_existence="at_least_one_exists"
-    comment="check if pam_unix.so hashing algorithm option is correct and specified only once in /etc/pam.d/system-auth">
+    comment="check if pam_unix.so hashing algorithm option is correct and specified only once in {{{ pam_file }}}">
     <ind:object object_ref="object_pam_unix_hashing_algorithm_systemauth"/>
     <ind:state state_ref="state_pam_unix_hashing_algorithm_systemauth"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_pam_unix_hashing_algorithm_systemauth" version="1"
-    comment="only one hashing algorithm option for pam_unix.so is found in /etc/pam.d/system-auth">
+    comment="only one hashing algorithm option for pam_unix.so is found in {{{ pam_file }}}">
     <ind:filepath>{{{ pam_file }}}</ind:filepath>
     <ind:pattern operation="pattern match">{{{ hashing_pattern }}}</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
index 40adbb8d548..12ebca41877 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
@@ -3,5 +3,31 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 # remediation = none
 
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' /etc/pam.d/common-password
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ # sha512/' /etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass # sha512
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure # sha512
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
index 23e5eb547b8..2f3bdadc0fa 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
@@ -3,11 +3,34 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-pam_file="/etc/pam.d/common-password"
-
-if ! grep -q "^\s*password.*pam_unix\.so.*sha512" "$pam_file"; then
-	sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ sha512/' "$pam_file"
-fi
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass sha512
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure sha512
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 pam_file="/etc/pam.d/system-auth"
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
index 2bb932df8c0..bc314099b7e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
@@ -3,7 +3,34 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/common-password"
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/system-auth"
 {{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
index f59622a555a..383848c4c87 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
@@ -2,5 +2,31 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_hashing_algorithm_pam=sha512
 
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' /etc/pam.d/common-password
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ sha5122/' /etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass sha5122
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure sha5122
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
index 88999830909..9c097499f77 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -11,8 +11,21 @@ for FILE in ${NULLOK_FILES}; do
    sed --follow-symlinks -i 's/\<nullok\>//g' ${FILE}
 done
 {{% elif 'ubuntu' in product %}}
-FILE="/etc/pam.d/common-password"
-sed -i 's/\(.*pam_unix\.so.*\)\s\<nullok\>\(.*\)/\1\2/g' ${FILE}
+{{{ bash_pam_unix_enable() }}}
+config_file="/usr/share/pam-configs/cac_unix"
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then
     {{{ bash_enable_authselect_feature('without-nullok') }}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index aed5e6451a3..928f3f24d95 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -901,6 +901,32 @@ DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{%- endmacro -%}}
 
 
+{{#
+    Enable pam_unix.so PAM module by using pam-auth-update.
+    This option is only recommended when pam-auth-update tool is available for the system.
+#}}
+{{%- macro bash_pam_unix_enable() -%}}
+conf_name=cac_unix
+conf_path="/usr/share/pam-configs"
+
+if [ ! -f "$conf_path"/"$conf_name" ]; then
+    if [ -f "$conf_path"/unix ]; then
+        if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
+            cp "$conf_path"/unix "$conf_path"/"$conf_name"
+            sed -i '/Default: yes/a Priority: 257\
+Conflicts: unix' "$conf_path"/"$conf_name"
+            DEBIAN_FRONTEND=noninteractive pam-auth-update
+        else
+            echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2
+        fi
+    else
+        echo "Not applicable - $conf_path/unix does not exist" >&2
+    fi
+fi
+
+{{%- endmacro -%}}
+
+
 {{#
     Validate an authselect custom profile integrity and ensures the correct file path is defined
     in the "PAM_FILE_PATH" variable. The macros which change PAM files are the same regardless of