Dan and all, I just had to enforce some fun requirements from our Corporate Data Security types and learned a lot in the process. You can modify the pam.tally module to keep track of the number of times a user tries to login and lock the account once that number is passed. (This just bit me -- I had to go in and reset the count on a production account that had been fat-fingered a few too many times. The PAM System Admin Guide suggests a nightly cron job to reset these tallies -- I'll be putting that in place tomorrow). With the "chage" command you can set a bunch of password lifetime options such as min and max days between password changes, inactivity locking, password change warnings, There's an excellent article at http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords that goes into how the author convinced Red Hat to adopt his new methods for enforcing things like: min passwd length min number of lower case letters min number of uppercase letters min number of digits min number of other characters This is now part of Fedora and RHEL -- there are patches available for older RH versions that might be portable elsewhere... YMMV Being paranoid about changing security settings, I relied heavily on the PAM System Administrators Guide -- this guide is your friend! You should be able to find it if you installed the PAM doco -- on my FC3 system it's at: /usr/share/doc/pam-0.77/html/pam.html Hope this helps, feel free to contact me directly if you want. -- Richard Wilson r dot wilson (nine) at cox dot net -------------------------------------------------------------------- On Thu, 2005-12-15 at 21:07 -0800, Dan Lund wrote: > Hi folks, > I don't often hit you guys for answers but I need a little advice. > I'm dealing with SOX/HIPAA compliancy right now, which drives me a little nuts. > Anyway, the auditors said we need to have a password history feature > so that the user cannot change their password back to a password they > used the last time, time before, etc. > Now, we run Active Directory and I know I could configure the systems > to use pam_smb to authenticate and it'd use the same password > guidelines that the Windows world uses. I don't want to rely on > Active Directory, and it seems like a kludge at best. > > I need to know how to do password history detection, has anyone had > any experience with this on Linux servers? > (note: This is a mix of Redhat 8.0, RHEL3/4, and Gentoo... about 160 > machines so individual maintanence would be a nightmare.. past the > initial configuration which can easily be scripted) > > Any help would be appreciated. I have 6 months at most ;) > > --Dan Lund > -- > To exercise power costs effort and demands courage. That is why so > many fail to assert rights to which they are perfectly entitled - > because a right is a kind of power but they are too lazy or too > cowardly to exercise it. The virtues which cloak these faults are > called patience and forbearance. > Friedrich Nietzsche > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss