LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Password History using pam_passwdqc.so and pam_unix.so (https://www.linuxquestions.org/questions/linux-newbie-8/password-history-using-pam_passwdqc-so-and-pam_unix-so-874960/)

Viswes_B 04-14-2011 06:05 AM
Password History using pam_passwdqc.so and pam_unix.so
 
Hi,

I am trying to add argument remember=5 for pam_unix.so to remember 5 previosly set passwords. when i try to test this by changing the passwd of user to then PAM accepts the password which was already configured.

I also checked whether pam_unix is trying to save the information to /etc/security/opasswd but it doesnt.

I am using shadow too.

my system_auth looks like below:
auth required /lib64/security/pam_tally.so audit deny=5
auth required /lib64/security/pam_unix.so nullok_secure


account required /lib64/security/pam_tally.so
account required /lib64/security/pam_unix.so

password required /lib64/security/pam_passwdqc.so passphrase=0 random=0 min=disabled,disabled,disabled,8,8 max=40 match=4 similar=deny
password sufficient /lib64/security/pam_unix.so nullok use_authtok md5 shadow use_first_pass
password required pam_deny.so

#session optional /lib64/security/pam_keyinit.so revoke
session required /lib64/security/pam_limits.so
session required /lib64/security/pam_unix.so

Kindly let me know what is wrong with the configuration

savona 04-14-2011 10:23 AM
Did you create the opaswd file and set the necessary permissions/ownership?

touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd

Then I would consider trying changing the following line:

password sufficient /lib64/security/pam_unix.so nullok use_authtok md5 shadow use_first_pass

to

password sufficient /lib64/security/pam_unix.so nullok remember=5 use_authtok md5 shadow use_first_pass

Viswes_B 04-14-2011 11:45 PM
Quote:
Originally Posted by savona (Post 4324586)
Did you create the opaswd file and set the necessary permissions/ownership?

touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd

Then I would consider trying changing the following line:

password sufficient /lib64/security/pam_unix.so nullok use_authtok md5 shadow use_first_pass

to

password sufficient /lib64/security/pam_unix.so nullok remember=5 use_authtok md5 shadow use_first_pass
hi,

After adding your changes, i corrected more thing, that is the way of testing this is entirely wrong. i was simply chaging the password, Instead i made the password expire and then re-login and give the same password and yippee... it worked .
I can see the error message
I can see opasswd file updated too

But a small clarification , once i change the password to new one which is not in the remember list(opasswd) and again issue "passwd admin" --> one of the remembered passwords, it doesnt throw any error, it accepts... why so ???

savona 04-15-2011 05:40 AM
Quote:
Originally Posted by Viswes_B (Post 4325148)
hi,

After adding your changes, i corrected more thing, that is the way of testing this is entirely wrong. i was simply chaging the password, Instead i made the password expire and then re-login and give the same password and yippee... it worked .
I can see the error message
I can see opasswd file updated too

But a small clarification , once i change the password to new one which is not in the remember list(opasswd) and again issue "passwd admin" --> one of the remembered passwords, it doesnt throw any error, it accepts... why so ???
Are you running "passwd admin" as root? Root is allowed to reuse passwords in the history list. If your logged in as a user you should just use "passwd" as only root is allowed to specify a user when running passwd.

Viswes_B 04-19-2011 02:32 AM
Savona,

Thanks, this issue has been resolved, I am able to see the stored passwords in opasswd file. thanks alot

Viswes

savona 04-19-2011 07:39 AM
Glad I can help!


All times are GMT -5. The time now is 03:09 PM.