Enforce "cannot reuse the last 2 passwords" password rule

Currently the "remember" attribute in pam_pwhistory configuration is set to "2", which enforces "cannot reuse the last 1 passwords" in history instead of "cannot reuse the last 2 passwords" stated in security document. This update changed "remember" attribute to "3" so that the rule complies with the document. Closes-Bug: 1924772 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I340152f8b8a572bc1e86f1eb4a14eb8e392f6334
2021-04-16 10:46:13 -04:00 · 2021-04-16 10:46:13 -04:00 · 7877dbc6ba
parent e87383f6c3
commit 7877dbc6ba
1 changed files with 2 additions and 4 deletions
--- a/pam-config/files/common-password
+++ b/pam-config/files/common-password
@ -23,16 +23,14 @@
 ## minimum length of 7 characters. A user may not re-use the last most #
 ## recent password and every password must differ from its previous    #
 ## one by atleast 3 characters                                         #
-##  - Added enforce_for_root for pam_pwquality.so             #
+##  - Added enforce_for_root for pam_pwquality.so                      #
 ########################################################################

 password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
-password    required                        pam_pwhistory.so use_authtok enforce_for_root remember=2 retry=3 debug
+password    required                        pam_pwhistory.so use_authtok enforce_for_root remember=3 retry=3 debug

 password    sufficient                      pam_unix.so sha512 use_authtok debug
 password    [success=done authtok_err=die perm_denied=die default=ignore]  pam_ldap.so use_authtok debug

-
-
 # If we got this far then its clearly a DENY
 password    requisite                       pam_deny.so