LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-22-2011, 11:16 PM   #1
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Rep: Reputation: 16
Password History In Ubuntu (pam_passwdqc.so)


Hi all,

I am using pam_passwdqc.so module for Linux Password Security.Every policies were working fine but i just noticed that Password history is not working properly.Currently users are able to use their old passwords.After googling its understood that pam_passwdqc.so does not support Password History.I don't want to use pam_cracklib.so password hardening but can i use it only for password history along with pam_passwdqc.so.I had tried the steps mentioned in
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

but it was not working.Any Suggestion.
 
Old 02-23-2011, 04:51 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,877

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
I found this while researching your question:
http://www.stuartellis.eu/articles/securing-linux/
Scroll down to
Quote:
Ensuring Strong Passwords with PAM

Red Hat and Fedora systems include the pam_cracklib password complexity check in their default configuration. For Debian and Ubuntu systems, install either pam_cracklib or pam_passwdqc.

Use pam_cracklib to provide simple password checks. To ensure extremely strong passwords, install pam_passwdqc. Non-technical users may find the default settings for pam_passwdqc too demanding.

To enable password complexity checks on Debian and Ubuntu systems with pam_passwdqc, use these settings in /etc/pam.d/common-password:
password required pam_unix.so use_authtok md5
password required pam_passwdqc.so
Notice that pam_cracklib.so isn't mentioned. You need pam_unix.so to keep the history.

The link you gave has this to say:
Quote:
Password "History"

pam_cracklib is capable of consulting a user's password "history" and not allowing them to re-use old passwords. However, the functionality for actually storing the user's old passwords is enabled via the pam_unix module.



The first step is to make sure to create an empty /etc/security/opasswd file for storing old user passwords. If you forget to do this before enabling the history feature in the PAM configuration file, then all user password updates will fail because the pam_unix module will constantly be returning errors from the password history code due to the file being missing.



Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes (albeit for old user passwords that are no longer in use):



touch /etc/security/opasswd

chown root:root /etc/security/opasswd

chmod 600 /etc/security/opasswd



Once you've got the opasswd file set up, enable password history checking by adding the option "remember=<x>" to the pam_unix configuration line in the /etc/pam.d/common-password file. Here's how I have things set up on my Knoppix machine:



password required pam_cracklib.so retry=3 minlen=12 difok=4

password required pam_unix.so md5 remember=12 use_authtok



The value of the "remember" parameter is the number of old passwords you want to store for a user. It turns out that there's an internal maximum of 400 previous passwords, so values higher than 400 are all equivalent to 400. Before you complain about this limit, consider that even if your site forces users to change passwords every 30 days, 400 previous passwords represents over 30 years of password history. This is probably sufficient for even the oldest of legacy systems.
Ignore the references to pam_cracklib.so. The pam_unix part is relevant to your problem.
 
1 members found this post helpful.
Old 02-23-2011, 05:19 PM   #3
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Here's a scriptlet if you need to automate it :

Code:
perl -pi -e 's?(.*password.*pam_unix.*)?\1 remember=4?' /etc/pam.d/<appropriate_file_here_depending_on_distro>
cheers
 
Old 02-23-2011, 11:32 PM   #4
ajayan
Member
 
Registered: Dec 2007
Posts: 89

Original Poster
Rep: Reputation: 16
@bigrigdriver

Thanks for your Quick reply.Your suggestion worked !!!.I had modified /etc/pam.d/common-passwd with pam_unix.so.Here is my
common-passwd.This might help some body else also.

password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 retry=3
password sufficient pam_unix.so obscure use_authtok try_first_pass sha512 shadow remember=24

This site also gives some informations

http://www.techrepublic.com/article/...sswdqc/6111316

@kbp
Thanks.I haven't tried.But will definitely look in to.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
password history not working with NIS clients VMSlives Linux - Security 0 04-15-2009 04:32 PM
password complexity with pam_passwdqc.so VMSlives Linux - Security 4 03-30-2009 04:19 PM
Password Restrict.. Password History in RHEL 5.0 your_shadow03 Linux - Newbie 6 08-14-2008 11:33 AM
pam_cracklib password history not working Kyle Harris Linux - Security 1 03-16-2007 12:40 PM
can I set the password history in solaris ooihc Solaris / OpenSolaris 3 09-24-2004 06:25 AM


All times are GMT -5. The time now is 10:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration