5.3.4 Ensure password reuse is limited

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords.

Notes:

Additional module options may be set, recommendation only covers those listed here.

This setting only applies to local accounts.

This option is configured with the remember=n module option in /etc/pam.d/system-auth and /etc/pam.d/password-auth

This option can be set with either one of the two following modules:

pam_pwhistory.so - This is the newer and more common method.

pam_unix.so - This is the older method.

Rationale:

Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password.

Solution

Edit both the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown:
Note: Add or modify the line containing the pam_pwhistory.so or pam_unix.so pam module **after the first occurrence of password requisite:
If pam_pwhistory.so is used:

password required pam_pwhistory.so remember=5

Example: (Second line is modified)

password requisite pam_pwquality.so try_first_pass local_users_only authtok_type=
password required pam_pwhistory.so use_authtok remember=5 retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

OR
If pam_unix.so is used:

password sufficient pam_unix.so remember=5

Example: (Second line is modified)

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 use_authtok
password required pam_deny.so

See Also

https://workbench.cisecurity.org/files/2925

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|16

Plugin: Unix

Control ID: 5d1dc150b102beb676ee5b830630c0b97f468fd2b2887fdb47c6f7d60c7f1091