PAM is a flexible mechanism for authenticating users. For example, you do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam unix PAM module.
This module provides functionality for PAM modules such as authentication, account management etc. Same module can be used to maintain a list of old passwords for every user. This is useful if you want to disallow use of old passwords. The old password list is located in the /etc/security/opasswd file.
Limit Password Reuse
Open your /etc/pam.d/common-password file under Debian / Ubuntu Linux, run:
# vi /etc/pam.d/common-password
If you are using CentOS / RHEL / RedHat / Fedora Linux, edit /etc/pam.d/system-auth file, run:
# vi /etc/pam.d/system-auth
Now, update existing password line and append remember=10 to prevent a user from re-using any of his or her last 10 passwords. Do not append new line, update exiting password line and append remember=10.
password sufficient pam_unix.so use_authtok md5 shadow remember=10
Save and close the file.
Now Linux will remember last 10 passwords. If user tries to use any one of the last 10 old passwords, he/she will get an error:
Password has been already used. Choose another.
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 3 comments… read them below or add one }
it does not work on my centos5… i tried to change my user password and tried use again my old password but it does not warn me that i already used my current password.
did i miss anything?
Hi Vivek,
I am a fan of your website, Thanks for posting such interesting topics. I am working on Linux security, using linux applications. Your website is very helpful for me. I always give it first preference when i found your website link.
Ok, Now Can you please tell that it is possible to verify a new password has not been used in the last six months.
Thanks & Regards
Rahul Panwar
it does not work on my centos,actually after appending remember=10 still the /etc/security/opasswd file is empty….?