Question: How to change the password policy on a system so that a user cannot choose any of the last 3 passwords previously used?
1. Make sure that the file /etc/security/opasswd has the default permission (600).
# ls -l /etc/security/opasswd -rw------- 1 root root 116 Sep 8 14:52 /etc/security/opasswd
2. Ensure you backup the file /etc/pam.d/system-auth:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.old
3. Modify the file /etc/pam.d/system-auth in vi editor and change the line containing:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
as:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3
4. Save and quit the editor (:wq!).
5. Then login as any non-root user and try changing the passwd using the passwd command, if you use the previous old password it will throw an error that “Password has been already used. Choose another.”
$ passwd Changing password for user test. Changing password for test. (current) UNIX password: New password: Retype new password: Password has been already used. Choose another. Password: