Restriction to use previous passwords

PDF
pam_unix makes it possible to maintain a users password history and prevent the user will re-use the password. The parameter remember is used to set the number of passwords to keep in the history for each user. An example how to set this up: First of all we need to check if the file /etc/security/opasswd exists on your system and is only writable and readable by root. If the file doesn't exists create it: First of all we need to check if the file /etc/security/opasswd exists on your system and is only writable and readable by root. If the file doesn't exists create it:
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd

Please note it is important to make sure this file is available before you enable the password history mechanism all user password update will fail as pam_unix cann't write the history to the file.

Now we have to edit /etc/pam.d/system-auth Open this file and find and change the line which look somehow like this:

password sufficient pam_unix.so nullok use_authtok md5 shadow
add remember=N where N is the number of passwords to remember, in my example 7:
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=7
You can even make things harder by not allowing users to use the parameter difok of the pam_cracklib module together with pam_unix. difok is used to force that at least N characters of the new password has to be different from the old password.
password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1 difok=4
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=7

Forces users to use a password with a length of 8 characters, at least 1 lower-case, 1 upper-case, 2 digits and 1 special character. The last 7 passwords are not allowed to be used again and at least 4 characters of the new password have to be different the the old password.

See also this article: force strong passwords

 

Please login first before adding a comment.

Search






You are here: Home Howtos and FAQs Security Restriction to use previous passwords