pam_cracklib password history
Scott Ruckh
sruckh at gemneye.org
Wed Mar 28 05:23:47 UTC 2007
lists at trcintl.com wrote:
> I have been attempting to enable pam_cracklib to check a password in a password history file with no luck. No matter what I seem to try, nothing is ever added to the opasswd file. I have tried this on several stations with no luck so I must be missing something. I have been following the documentation a the following URL:
> www.deer-run.com/~hal/sysadmin/pam_cracklib.html
>
> The problem is I can't seem to get it to work. So, I loaded up a test machine from scratch using RHEL 4.4 with all updates as of 3-14-07. I then did the following:
>
> 1.) touch /etc/security/opasswd {creates the necessary old password file}
> 2.) chown root:root /etc/security/opasswd
> 3.) chmod 600 /etc/security/opasswd
> Note I have opened the permissions up on this file for testing with no more luck.
> 4.) I modified the system-auth file which I'm pretty sure is the file this flavor of Linux uses with the following line:
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
>
>
> Here is the entire file. The only thing changed from the default file is the line above. I simply added remember=12 to it.
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
>
> If I change the line above from sufficient to required as in the example on the site referenced above such as follows:
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
>
> I then get the error:
> passwd: Authentication token manipulation error
> {This tells me I must be editing the correct file}
>
> What do I need to do to create the password history file using pam_cracklib?
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
>
Kyle, I believe you need to add your 'remember=12' flag to the account
section and not where you have it now (in the password section).
I don not believe this section from the Linux Pam Administrators' Guide
is very clear.
The account component performs the task of establishing the status of
the user's account and password based on the following shadow elements:
expire, last_change, max_change, min_change, warn_change. In the case of
the latter, it may offer advice to the user on changing their password
or, through the PAM_AUTHTOKEN_REQD return, delay giving service to the
user until they have established a new password. The entries listed
above are documented in the shadow(5) manual page. Should the user's
record not contain one or more of these entries, the corresponding
shadow check is not performed.
More information about the Pam-list
mailing list