Re: password history ability with pam?

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMDan Lund at <-
MRichard Wilson at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: tjones@fastq.com
Date:  
To: Main PLUG discussion list
Subject: Re: password history ability with pam?
Quoting Dan Lund <>:

> Hi folks,
> I don't often hit you guys for answers but I need a little advice.
> I'm dealing with SOX/HIPAA compliancy right now, which drives me a little
> nuts.
> Anyway, the auditors said we need to have a password history feature
> so that the user cannot change their password back to a password they
> used the last time, time before, etc.
> Now, we run Active Directory and I know I could configure the systems
> to use pam_smb to authenticate and it'd use the same password
> guidelines that the Windows world uses. I don't want to rely on
> Active Directory, and it seems like a kludge at best.
>
> I need to know how to do password history detection, has anyone had
> any experience with this on Linux servers?
> (note: This is a mix of Redhat 8.0, RHEL3/4, and Gentoo... about 160
> machines so individual maintanence would be a nightmare.. past the
> initial configuration which can easily be scripted)
>
> Any help would be appreciated. I have 6 months at most ;)
>
> --Dan Lund

I stole this idea from here: http://uranus.it.swin.edu.au/~jn/linux/redhatserver.htm

Enabling a password history

1. Create the old password file with the command
# touch /etc/security/opasswd

2. Edit /etc/pam.d/system-auth and add the following pam_unix parameter
"remember=3".

Cracklib will automatically check /etc/security/opasswd and will not allow any
of the passwords listed to be used again. This means that you must have
pam_cracklib stacked before your pam_unix module (which is the default).

_-_ end quote

Change the "remember=3" to 4, enforce password changes every 90 days, and you're
covered for a year. Should work with RedHat of various stripes back to 7. Not
sure about Gentoo, but let us know if you turn anything up?

TJ



-------------------------------------------------
FastQ Communications
Providing Innovative Internet Solutions Since 1993

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Strange Lock Up problemsRe: password history ability with pam?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)