In my last article I shared various methods to prevent brute force SSH attacks in Linux. Now we have a scenario where you wish to enforce a certain password restriction in your password policy. We wish to prevent user from using old password while assigning new password i.e. re-using old password when assigning new password.
Prevent user from using old password
For example I have used password "test123
" so next time I assign new password, I will not be allowed to use "test123
" again. But then till what history threshold will be keep this cap. Assuming I wish to prevent user from using old password (till 5th old password), older than 5th password can be used.
For example, below are the list of passwords I have assigned over the period of time for deepak user
test1 test2 test3 test4 test5 test6
So next time deepak
user can re-use test1
as the password as it was the 6th old password but will not be allowed to use test2
as the new password.
To implement this restriction we must insert the following in /etc/pam.d/system-auth
and /etc/pam.d/password-auth
(after pam_pwquality.so
line):
password requisite pam_pwhistory.so remember=5 use_authtok
From the man page of pam_unix
use_authtok When password changing enforce the module to set the new password to the one provided by a previously stacked password module
Let us see this live example. I will try to perform SSH using 'deepak
' user. Since the password change is enforced to demonstrate this article, user 'deepak
' must change his password.
[root@rhel-7 ~]# ssh deepak@10.0.2.11 deepak@10.0.2.11's password: You are required to change your password immediately (root enforced) Last login: Sat Aug 31 18:05:47 2019 from 10.0.2.11 WARNING: Your password has expired. You must change your password now and login again! Changing password for user deepak. Changing password for deepak. (current) UNIX password: New password: Retype new password: Password has been already used. Choose another.
If deepak
attempts to use same old password, then he gets the highlighted error.
Lastly I hope the steps from the article to prevent user from using old password (or re-using) again in Linux was helpful. So, let me know your suggestions and feedback using the comment section.