PAM is a flexible mechanism for authenticating users. For example, you do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_unix2 (part of certain enterprise distro) PAM module. In this quick, blog post I am going to explain how to restrict use of previous passwords using pam_unix.so.
More about pam_unix/pam_unix2 module
This is the standard Unix authentication module. It uses standard calls from the system’s libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.
This module provides functionality for PAM modules such as authentication, account management and more. Same module can be used to maintain a list of old passwords for every user. This is useful if you want to disallow use of old passwords. The old password list is located in the /etc/security/opasswd file.
You need to edit the following files:
- /etc/login.defs – Shadow password suite configuration
- /etc/pam.d/common-auth – OpenSuse/Suse Enterprise Linux pam config file.
- /etc/pam.d/system-auth – CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
- /etc/pam.d/common-password – Debian / Ubuntu Linux pam config file.
- /etc/security/opasswd – Store old passwords.
Finding pam_unix.so or pam_unix2.so file location
Type the following find command:
#* NOTE on a Linux (modern version) distro you do not need to set a full path *# ## 64 bit distro ## find / -iname "pam_unix.so" find / -iname "pam_unix2.so" ## 32 bit distro ## find / -iname "pam_unix.so" find / -iname "pam_unix2.so"
Step:1 – HowTo limit password reuse on Linux
Open your /etc/pam.d/common-password file on a Debian / Ubuntu Linux, run:
# # cp /etc/pam.d/common-password /root/common-password.bak
If you are using CentOS / RHEL / RedHat / Fedora Linux, edit /etc/pam.d/system-auth file, run:
# cp /etc/pam.d/system-auth /root/system-auth.bak
# vi /etc/pam.d/system-auth
OpenSUSE/SUSE Linux user, edit /etc/pam.d/common-auth, run:
# cp /etc/pam.d/common-auth /root/common-auth.bak
# vi /etc/pam.d/common-auth
Edit/add password line and append remember=13 to prevent a user from re-using any of his or her last 13 passwords:
password sufficient pam_unix.so use_authtok md5 shadow remember=13
IF you are using pam_unix2.so, update it as follows:
password sufficient pam_unix2.so use_authtok md5 shadow remember=13
Save and close the file. Please note that the last 13 passwords for each user are saved in /etc/security/opasswd file in order to force password change history and keep the user from alternating between the same password too frequently.
Step:2 – Enable password aging
Edit /etc/login.defs, enter:
In this example, pam_unix.so/pam_unix2.so is configured to remember 13 passwords. User can not use the same password for at least 3 months (13*7=91 days = 3 months)
# vi /etc/login.defs
Set the minimum number of days (PASS_MIN_DAYS=7) allowed between password changes:
### Minimum number of 7 days before a user can change the password since the last change ### PASS_MIN_DAYS=7
Save and close the file.
Step:3 – /etc/security/opasswd
If the file /etc/security/opasswd does not exist, create the file using touch or shell redirection command:
# [ ! -f /etc/security/opasswd ] && touch /etc/security/opasswd
# [ ! -f /etc/security/opasswd ] && >/etc/security/opasswd
Use the following ls command to verify file permissions:
# ls -lZ /etc/security/opasswd
Sample outputs from RHEL SELinux enabled systems:
-rw-------. root root system_u:object_r:shadow_t:s0 /etc/security/opasswd
Linux based system will remember last 13 passwords. If user tries to use any one of the last 13 old passwords, he/she will get an error message as follows on screen:
Password has been already used. Choose another.
And there you have it. The pam_unix.so/pam_unix2.so configured to the number of previous passwords that cannot be reused. I also suggest that you use the pam_cracklib Linux pam module to set password quality requirements.