From 7877dbc6baec4e3214a12ac0ae44db5491a22e9d Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Fri, 16 Apr 2021 10:46:13 -0400 Subject: [PATCH] Enforce "cannot reuse the last 2 passwords" password rule Currently the "remember" attribute in pam_pwhistory configuration is set to "2", which enforces "cannot reuse the last 1 passwords" in history instead of "cannot reuse the last 2 passwords" stated in security document. This update changed "remember" attribute to "3" so that the rule complies with the document. Closes-Bug: 1924772 Signed-off-by: Andy Ning Change-Id: I340152f8b8a572bc1e86f1eb4a14eb8e392f6334 --- pam-config/files/common-password | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pam-config/files/common-password b/pam-config/files/common-password index cfb100f..fe290b3 100755 --- a/pam-config/files/common-password +++ b/pam-config/files/common-password @@ -23,16 +23,14 @@ ## minimum length of 7 characters. A user may not re-use the last most # ## recent password and every password must differ from its previous # ## one by atleast 3 characters # -## - Added enforce_for_root for pam_pwquality.so # +## - Added enforce_for_root for pam_pwquality.so # ######################################################################## password required pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug -password required pam_pwhistory.so use_authtok enforce_for_root remember=2 retry=3 debug +password required pam_pwhistory.so use_authtok enforce_for_root remember=3 retry=3 debug password sufficient pam_unix.so sha512 use_authtok debug password [success=done authtok_err=die perm_denied=die default=ignore] pam_ldap.so use_authtok debug - - # If we got this far then its clearly a DENY password requisite pam_deny.so