Skip to content

5.4.3 Ensure password reuse is limited

Audit#

Run the following command: 

# grep -P '^\h*password\h+([^#\n\r]+\h+)?pam_pwhistory\.so\h+([^#\n\r]+\h+)?remember=([5-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password
password required pam_pwhistory.so remember=5

Ensure the remember option is 5 or more and follows your site policy.

Remediation#

NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files.

Edit the /etc/pam.d/common-password file to include the remember= option of 5 or more. If this line doesn't exist, add the line directly above the line: password [success=1 default=ignore] pam_unix.so obscure yescrypt:

Example: 

password required pam_pwhistory.so use_authtok remember=5