≡ Menu

Linux: Prevent From Using Or Reuse Same Old Passwords

PAM is a flexible mechanism for authenticating users. For example, you do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_unix2 (part of certain enterprise distro) PAM module. In this quick, blog post I am going to explain how to restrict use of previous passwords using pam_unix.so.

More about pam_unix/pam_unix2 module

This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.

This module provides functionality for PAM modules such as authentication, account management and more. Same module can be used to maintain a list of old passwords for every user. This is useful if you want to disallow use of old passwords. The old password list is located in the /etc/security/opasswd file.

Configuration files

You need to edit the following files:

  1. /etc/login.defs - Shadow password suite configuration
  2. /etc/pam.d/common-auth - OpenSuse/Suse Enterprise Linux pam config file.
  3. /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
  4. /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file.
  5. /etc/security/opasswd - Store old passwords.

Finding pam_unix.so or pam_unix2.so file location

Type the following find command:

#* NOTE on a Linux (modern version) distro you do not need to set a full path *#
 
## 64 bit distro ##
find / -iname "pam_unix.so"
find / -iname "pam_unix2.so"
 
## 32 bit distro ##
find / -iname "pam_unix.so"
find / -iname "pam_unix2.so"

Sample outputs:

Fig. 01: Finding pam_unix full path on a Linux.

Fig. 01: Finding pam_unix full path on a Linux.

Step:1 - HowTo limit password reuse on Linux

Open your /etc/pam.d/common-password file on a Debian / Ubuntu Linux, run:
# # cp /etc/pam.d/common-password /root/common-password.bak
vi /etc/pam.d/common-password

If you are using CentOS / RHEL / RedHat / Fedora Linux, edit /etc/pam.d/system-auth file, run:
# cp /etc/pam.d/system-auth /root/system-auth.bak
# vi /etc/pam.d/system-auth

OpenSUSE/SUSE Linux user, edit /etc/pam.d/common-auth, run:
# cp /etc/pam.d/common-auth /root/common-auth.bak
# vi /etc/pam.d/common-auth

Edit/add password line and append remember=13 to prevent a user from re-using any of his or her last 13 passwords:
password sufficient pam_unix.so use_authtok md5 shadow remember=13

IF you are using pam_unix2.so, update it as follows:
password sufficient pam_unix2.so use_authtok md5 shadow remember=13

Save and close the file. Please note that the last 13 passwords for each user are saved in /etc/security/opasswd file in order to force password change history and keep the user from alternating between the same password too frequently.

Step:2 - Enable password aging

Edit /etc/login.defs, enter:

In this example, pam_unix.so/pam_unix2.so is configured to remember 13 passwords. User can not use the same password for at least 3 months (13*7=91 days = 3 months)

# vi /etc/login.defs
Set the minimum number of days (PASS_MIN_DAYS=7) allowed between password changes:

 
### Minimum number of 7 days before a user can change the password since the last change ###
PASS_MIN_DAYS=7
 

Save and close the file.

Step:3 - /etc/security/opasswd

If the file /etc/security/opasswd does not exist, create the file using touch or shell redirection command:
# [ ! -f /etc/security/opasswd ] && touch /etc/security/opasswd
OR
# [ ! -f /etc/security/opasswd ] && >/etc/security/opasswd
Use the following ls command to verify file permissions:
# ls -lZ /etc/security/opasswd
Sample outputs from RHEL SELinux enabled systems:

-rw-------. root root system_u:object_r:shadow_t:s0    /etc/security/opasswd

Test it

Linux based system will remember last 13 passwords. If user tries to use any one of the last 13 old passwords, he/she will get an error message as follows on screen:
Password has been already used. Choose another.

And there you have it. The pam_unix.so/pam_unix2.so configured to the number of previous passwords that cannot be reused. I also suggest that you use the pam_cracklib Linux pam module to set password quality requirements.

See also:
Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • frank May 2, 2008, 3:10 am

    it does not work on my centos5… i tried to change my user password and tried use again my old password but it does not warn me that i already used my current password.

    did i miss anything?

  • Rahul Panwar August 3, 2009, 2:24 pm

    Hi Vivek,
    I am a fan of your website, Thanks for posting such interesting topics. I am working on Linux security, using linux applications. Your website is very helpful for me. I always give it first preference when i found your website link.

    Ok, Now Can you please tell that it is possible to verify a new password has not been used in the last six months.

    Thanks & Regards
    Rahul Panwar

  • Sanchit Matta January 9, 2013, 7:28 pm

    it does not work on my centos,actually after appending remember=10 still the /etc/security/opasswd file is empty….?

  • Mukhtar September 3, 2013, 8:04 pm

    very informative, keep mailing us