Need help with remember=10 option

tonyfreeman · 10-27-2004, 12:01 PM

I've been trying to use the "remember" option to pam_unix.so ... but it isn't behaving correctly. Here is my /etc/pam.d/passwd file:

Code:

#%PAM-1.0
#auth       required	pam_stack.so service=system-auth
#account    required	pam_stack.so service=system-auth
#password   required	pam_stack.so service=system-auth

auth        required      /lib/security/pam_env.so
auth	    required 	  /lib/security/pam_tally.so onerr=fail no_magic_root
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_succeed_if.so uid < 100
account     required      /lib/security/pam_unix.so
account	    required	  /lib/security/pam_tally.so deny=5 no_magic_root reset

password    requisite     /lib/security/pam_cracklib.so minlen=8 retry=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow nis remember=10
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

When I login as "testing" and type "passwd" I type my current password and then I type my new password 2 times. I get this output when I type in a brand new password ... I also get this output when I type in a previous password:

Code:

[testing@xxxx testing]$ passwd
Changing password for user testing.
Changing password for testing
(current) UNIX password: 
New UNIX password: 
Retype new UNIX password: 
Password has been already used. Choose another.
Password has been already used. Choose another.
Password has been already used. Choose another.
passwd: Authentication token manipulation error

The password I typed in has not already been used.

When I take out the "remember" option I can change the password. I've also experimented with tacking the "remember" option onto the "auth" pam_unix section and onto the "account" pam_unix section with no luck.

Additionally ... the pam_tally.so entry does not lock out my user after 5 failed attempts.

What am I doing wrong? Any help would be appreciated ;-)

-- Tony

tonyfreeman · 10-27-2004, 03:57 PM

OK ... the answer to my problem is to manually touch a file called /etc/security/opasswd

Now pam.d remembers the old passwords and I don't get any of the errors I noted above.

Thanks goes to Neowulf in his post and follow-ups that he made :-)

Now ... the next problem to solve is the tally thing. I can still login after making 7 or more failed attempts.

-- --------- UPDATE ANSWER ----------- --

OK ... the answer to the tally thing is to first touch a file called /var/log/faillog. Then take out the tally entries in the "passwd" (because they do not work in the passwd file) and put them into the /etc/pam.d/system-auth file.

The system-auth file WILL get overwritten if you happen to use the GUI at a later date ... so you should also put the tally lines in /etc/pam.d/login and /etc/pam.d/sshd .... I wonder where else?

I now have tally working correctly and the remember thing working just fine ;-)

-- Tony