Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 02-22-2011, 11:16 PM   #1
Registered: Dec 2007
Posts: 89

Rep: Reputation: 16
Password History In Ubuntu (

Hi all,

I am using module for Linux Password Security.Every policies were working fine but i just noticed that Password history is not working properly.Currently users are able to use their old passwords.After googling its understood that does not support Password History.I don't want to use password hardening but can i use it only for password history along with had tried the steps mentioned in

but it was not working.Any Suggestion.
Old 02-23-2011, 04:51 PM   #2
LQ Addict
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,898

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
I found this while researching your question:
Scroll down to
Ensuring Strong Passwords with PAM

Red Hat and Fedora systems include the pam_cracklib password complexity check in their default configuration. For Debian and Ubuntu systems, install either pam_cracklib or pam_passwdqc.

Use pam_cracklib to provide simple password checks. To ensure extremely strong passwords, install pam_passwdqc. Non-technical users may find the default settings for pam_passwdqc too demanding.

To enable password complexity checks on Debian and Ubuntu systems with pam_passwdqc, use these settings in /etc/pam.d/common-password:
password required use_authtok md5
password required
Notice that isn't mentioned. You need to keep the history.

The link you gave has this to say:
Password "History"

pam_cracklib is capable of consulting a user's password "history" and not allowing them to re-use old passwords. However, the functionality for actually storing the user's old passwords is enabled via the pam_unix module.

The first step is to make sure to create an empty /etc/security/opasswd file for storing old user passwords. If you forget to do this before enabling the history feature in the PAM configuration file, then all user password updates will fail because the pam_unix module will constantly be returning errors from the password history code due to the file being missing.

Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes (albeit for old user passwords that are no longer in use):

touch /etc/security/opasswd

chown root:root /etc/security/opasswd

chmod 600 /etc/security/opasswd

Once you've got the opasswd file set up, enable password history checking by adding the option "remember=<x>" to the pam_unix configuration line in the /etc/pam.d/common-password file. Here's how I have things set up on my Knoppix machine:

password required retry=3 minlen=12 difok=4

password required md5 remember=12 use_authtok

The value of the "remember" parameter is the number of old passwords you want to store for a user. It turns out that there's an internal maximum of 400 previous passwords, so values higher than 400 are all equivalent to 400. Before you complain about this limit, consider that even if your site forces users to change passwords every 30 days, 400 previous passwords represents over 30 years of password history. This is probably sufficient for even the oldest of legacy systems.
Ignore the references to The pam_unix part is relevant to your problem.
1 members found this post helpful.
Old 02-23-2011, 05:19 PM   #3
Senior Member
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Here's a scriptlet if you need to automate it :

perl -pi -e 's?(.*password.*pam_unix.*)?\1 remember=4?' /etc/pam.d/<appropriate_file_here_depending_on_distro>
Old 02-23-2011, 11:32 PM   #4
Registered: Dec 2007
Posts: 89

Original Poster
Rep: Reputation: 16

Thanks for your Quick reply.Your suggestion worked !!!.I had modified /etc/pam.d/common-passwd with is my
common-passwd.This might help some body else also.

password requisite min=disabled,disabled,disabled,disabled,8 retry=3
password sufficient obscure use_authtok try_first_pass sha512 shadow remember=24

This site also gives some informations

Thanks.I haven't tried.But will definitely look in to.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
password history not working with NIS clients VMSlives Linux - Security 0 04-15-2009 04:32 PM
password complexity with VMSlives Linux - Security 4 03-30-2009 04:19 PM
Password Restrict.. Password History in RHEL 5.0 your_shadow03 Linux - Newbie 6 08-14-2008 11:33 AM
pam_cracklib password history not working Kyle Harris Linux - Security 1 03-16-2007 12:40 PM
can I set the password history in solaris ooihc Solaris / OpenSolaris 3 09-24-2004 06:25 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:41 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration