How to Prevent Users from Using the Last 10 Passwords CentOS / RHEL7?

The requirement here is that the user should not use the last 10 used passwords again when setting a new password. If the user tries to set a password that has been used in the last 10 times, he/she would get an error shown below:

Changing password for user test.
New UNIX password: 
Retype new UNIX password: 
Password has been already used.
passwd: all authentication tokens updated successfully.

 

This is a security measure which makes sure that the passwords are not hacked as the user keeps on setting new passwords every time it is expired. Follow the steps below to set this restriction on passwords.

 

1. Modify the file /etc/pam.d/system-auth such that it includes the pam module pam_pwhistory after the first occurrence of the password requisite line :

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    requisite     pam_pwhistory.so debug use_authtok remember=10 retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session    optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

 

2. Now Attempt to change the password of a user.

# passwd test
[Enter already used password]

 

Now you would see that the system would throw up an error saying that the password has already been used in the past.

Changing password for user test.
New UNIX password: 
Retype new UNIX password: 
Password has been already used.
passwd: all authentication tokens updated successfully.

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)