password history ability with pam?

[tjones at fastq.com]

Quoting Dan Lund <situationalawareness at gmail.com>:

> Hi folks,
> I don't often hit you guys for answers but I need a little advice.
> I'm dealing with SOX/HIPAA compliancy right now, which drives me a little
> nuts.
> Anyway, the auditors said we need to have a password history feature
> so that the user cannot change their password back to a password they
> used the last time, time before, etc.
> Now, we run Active Directory and I know I could configure the systems
> to use pam_smb to authenticate and it'd use the same password
> guidelines that the Windows world uses.  I don't want to rely on
> Active Directory, and it seems like a kludge at best.
> 
> I need to know how to do password history detection, has anyone had
> any experience with this on Linux servers?
> (note: This is a mix of Redhat 8.0, RHEL3/4, and Gentoo... about 160
> machines so individual maintanence would be a nightmare.. past the
> initial configuration which can easily be scripted)
> 
> Any help would be appreciated.  I have 6 months at most ;)
> 
> --Dan Lund

I stole this idea from here: http://uranus.it.swin.edu.au/~jn/linux/redhatserver.htm

Enabling a password history

1. Create the old password file with the command
# touch /etc/security/opasswd

2. Edit /etc/pam.d/system-auth and add the following pam_unix parameter
"remember=3".

Cracklib will automatically check /etc/security/opasswd and will not allow any
of the passwords listed to be used again.  This means that you must have
pam_cracklib stacked before your pam_unix module (which is the default).

_-_ end quote

Change the "remember=3" to 4, enforce password changes every 90 days, and you're
covered for a year.  Should work with RedHat of various stripes back to 7.  Not
sure about Gentoo, but let us know if you turn anything up?

TJ



-------------------------------------------------
FastQ Communications 
Providing Innovative Internet Solutions Since 1993