pam_cracklib password history

lists@xxxxxxxxxxx · Tue, 27 Mar 2007 14:40:20 -0500

I have been attempting to enable pam_cracklib to check a password in a password history file with no luck.  No matter what I seem to try, nothing is ever added to the opasswd file.  I have tried this on several stations with no luck so I must be missing something.  I have been following the documentation a the following URL:
www.deer-run.com/~hal/sysadmin/pam_cracklib.html

The problem is I can't seem to get it to work.  So, I loaded up a test machine from scratch using RHEL 4.4 with all updates as of 3-14-07.  I then did the following:

1.)  touch /etc/security/opasswd	{creates the necessary old password file}
2.)  chown root:root /etc/security/opasswd
3.)  chmod 600 /etc/security/opasswd
Note I have opened the permissions up on this file for testing with no more luck.
4.)  I modified the system-auth file which I'm pretty sure is the file this flavor of Linux uses with the following line:
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12

Here is the entire file.  The only thing changed from the default file is the line above.  I simply added remember=12 to it.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

If I change the line above from sufficient to required as in the example on the site referenced above such as follows:
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12

I then get the error:
passwd:  Authentication token manipulation error
{This tells me I must be editing the correct file}

What do I need to do to create the password history file using pam_cracklib?

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list