How to prevent user from using old password (or re-using) again in Linux

In my last article I shared various methods to prevent brute force SSH attacks in Linux. Now we have a scenario where you wish to enforce a certain password restriction in your password policy. We wish to prevent user from using old password while assigning new password i.e. re-using old password when assigning new password.

How to prevent user from using old password (or re-using) again in Linux

 

Prevent user from using old password

For example I have used password "test123" so next time I assign new password, I will not be allowed to use "test123" again. But then till what history threshold will be keep this cap. Assuming I wish to prevent user from using old password (till 5th old password), older than 5th password can be used.

For example, below are the list of passwords I have assigned over the period of time for deepak user

test1
test2
test3
test4
test5
test6

So next time deepak user can re-use test1 as the password as it was the 6th old password but will not be allowed to use test2 as the new password.

To implement this restriction we must insert the following in /etc/pam.d/system-auth and /etc/pam.d/password-auth (after pam_pwquality.so line):

password    requisite     pam_pwhistory.so remember=5 use_authtok

From the man page of pam_unix

use_authtok
     When password changing enforce the module to set the new password to the one provided by a previously stacked password module

Let us see this live example. I will try to perform SSH using 'deepak' user. Since the password change is enforced to demonstrate this article, user 'deepak' must change his password.

[root@rhel-7 ~]# ssh deepak@10.0.2.11
deepak@10.0.2.11's password:
You are required to change your password immediately (root enforced)
Last login: Sat Aug 31 18:05:47 2019 from 10.0.2.11
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user deepak.
Changing password for deepak.
(current) UNIX password:
New password:
Retype new password:
Password has been already used. Choose another.

If deepak attempts to use same old password, then he gets the highlighted error.

 

Lastly I hope the steps from the article to prevent user from using old password (or re-using) again in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.