pam_unixmakes it possible to maintain a users password history and prevent the user will re-use the password. The parameter
rememberis used to set the number of passwords to keep in the history for each user. An example how to set this up: First of all we need to check if the file
/etc/security/opasswdexists on your system and is only writable and readable by root. If the file doesn't exists create it: First of all we need to check if the file
/etc/security/opasswdexists on your system and is only writable and readable by root. If the file doesn't exists create it:
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
Please note it is important to make sure this file is available before you enable the password history mechanism all user password update will fail as
pam_unix cann't write the history to the file.
Now we have to edit
/etc/pam.d/system-auth Open this file and find and change the line which look somehow like this:
password sufficient pam_unix.so nullok use_authtok md5 shadowadd
remember=Nwhere N is the number of passwords to remember, in my example 7:
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=7You can even make things harder by not allowing users to use the parameter
pam_cracklibmodule together with
difokis used to force that at least N characters of the new password has to be different from the old password.
password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1 difok=4
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=7
Forces users to use a password with a length of 8 characters, at least 1 lower-case, 1 upper-case, 2 digits and 1 special character. The last 7 passwords are not allowed to be used again and at least 4 characters of the new password have to be different the the old password.
See also this article: force strong passwords