The requirement here is that the user should not use the last 10 used passwords again when setting a new password. If the user tries to set a password that has been used in the last 10 times, he/she would get an error shown below:
Changing password for user test. New UNIX password: Retype new UNIX password: Password has been already used. passwd: all authentication tokens updated successfully.
This is a security measure which makes sure that the passwords are not hacked as the user keeps on setting new passwords every time it is expired. Follow the steps below to set this restriction on passwords.
1. Modify the file
/etc/pam.d/system-auth such that it includes the pam module
pam_pwhistory after the first occurrence of the password requisite line :
# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password requisite pam_pwhistory.so debug use_authtok remember=10 retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
2. Now Attempt to change the password of a user.
# passwd test [Enter already used password]
Now you would see that the system would throw up an error saying that the password has already been used in the past.