Information
If the pwhistory enforce_for_root option is enabled, the module will enforce password history for the root user as well
Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password
Note: These change only apply to accounts configured on the local system.
Solution
Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth:
Add the following line to the password section:
password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
Example password section:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 #<- added pam_pwquality.so line
password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so
Note: the use_authtok option should exist on all password lines except the first entry and the pam_deny.so line