Linux: Password Reuse

From OnnoWiki
Jump to navigation Jump to search

sumber: https://www.cyberciti.biz/tips/how-to-linux-prevent-the-reuse-of-old-passwords.html

Linux: Prevent From Using Or Reuse Same Old Passwords Posted on September 27, 2006in Categories Debian Linux, Linux, PAM, Security, Ubuntu Linux last updated September 27, 2006

PAM is a flexible mechanism for authenticating users. For example, you do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_unix2 (part of certain enterprise distro) PAM module. In this quick, blog post I am going to explain how to restrict use of previous passwords using pam_unix.so.

More about pam_unix/pam_unix2 module

This is the standard Unix authentication module. It uses standard calls from the system’s libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.

This module provides functionality for PAM modules such as authentication, account management and more. Same module can be used to maintain a list of old passwords for every user. This is useful if you want to disallow use of old passwords. The old password list is located in the /etc/security/opasswd file. Configuration files

You need to edit the following files: 

   /etc/login.defs – Shadow password suite configuration
   /etc/pam.d/common-auth – OpenSuse/Suse Enterprise Linux pam config file.
   /etc/pam.d/system-auth – CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
   /etc/pam.d/common-password – Debian / Ubuntu Linux pam config file.
   /etc/security/opasswd – Store old passwords.

Finding pam_unix.so or pam_unix2.so file location

Type the following find command:

    • NOTE on a Linux (modern version) distro you do not need to set a full path *#
    1. 64 bit distro ##

find / -iname "pam_unix.so" find / -iname "pam_unix2.so"

    1. 32 bit distro ##

find / -iname "pam_unix.so" find / -iname "pam_unix2.so"

Sample outputs: Fig. 01: Finding pam_unix full path on a Linux. Fig. 01: Finding pam_unix full path on a Linux.

Step:1 – HowTo limit password reuse on Linux

Open your /etc/pam.d/common-password file on a Debian / Ubuntu Linux, run:

  1. # cp /etc/pam.d/common-password /root/common-password.bak

vi /etc/pam.d/common-password

If you are using CentOS / RHEL / RedHat / Fedora Linux, edit /etc/pam.d/system-auth file, run:

  1. cp /etc/pam.d/system-auth /root/system-auth.bak
  2. vi /etc/pam.d/system-auth

OpenSUSE/SUSE Linux user, edit /etc/pam.d/common-auth, run:

  1. cp /etc/pam.d/common-auth /root/common-auth.bak
  2. vi /etc/pam.d/common-auth

Edit/add password line and append remember=13 to prevent a user from re-using any of his or her last 13 passwords: password sufficient pam_unix.so use_authtok md5 shadow remember=13

IF you are using pam_unix2.so, update it as follows: password sufficient pam_unix2.so use_authtok md5 shadow remember=13

Save and close the file. Please note that the last 13 passwords for each user are saved in /etc/security/opasswd file in order to force password change history and keep the user from alternating between the same password too frequently. Step:2 – Enable password aging

Edit /etc/login.defs, enter:

In this example, pam_unix.so/pam_unix2.so is configured to remember 13 passwords. User can not use the same password for at least 3 months (13*7=91 days = 3 months)

  1. vi /etc/login.defs

Set the minimum number of days (PASS_MIN_DAYS=7) allowed between password changes:

      1. Minimum number of 7 days before a user can change the password since the last change ###

PASS_MIN_DAYS=7

Save and close the file. Step:3 – /etc/security/opasswd

If the file /etc/security/opasswd does not exist, create the file using touch or shell redirection command:

  1. [ ! -f /etc/security/opasswd ] && touch /etc/security/opasswd

OR

  1. [ ! -f /etc/security/opasswd ] && >/etc/security/opasswd

Use the following ls command to verify file permissions:

  1. ls -lZ /etc/security/opasswd

Sample outputs from RHEL SELinux enabled systems:

-rw-------. root root system_u:object_r:shadow_t:s0 /etc/security/opasswd

Test it

Linux based system will remember last 13 passwords. If user tries to use any one of the last 13 old passwords, he/she will get an error message as follows on screen: Password has been already used. Choose another.

And there you have it. The pam_unix.so/pam_unix2.so configured to the number of previous passwords that cannot be reused. I also suggest that you use the pam_cracklib Linux pam module to set password quality requirements.

Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Linux:_Password_Reuse&oldid=47833"