Remembering Password History with passwdqc

A

Aerospaztic

I'm working in a government lab and am required to set up password history so that no password can be used twice for 24 generations. This works perfectly with pam_cracklib on Ubuntu, but that is not available in FreeBSD. Some say it is not possible to use passwdqc to implement password history requirements, but seeing that passwdqc was developed by DARPA, who has the same requirements that I do, I'm not really believing that there is no way to get the history in there somewhere.

Any suggestions?
 
Probably more than you bargained for, but read this bit of insight on pam_passwdqc(8) and password histories:

http://www.openwall.com/lists/owl-users/2007/06/24/1

Anyway, try a quick 'net search for "pam_passwdqc history". It appears you can stack pam_passwdqc(8) with pam_unix(8) to solve the problem - at least on Linux-PAM. I don't see a remember directive documented for UNIX PAM.

FWIW, I'm going to agree with Solar Designer on this one. It's a bull$%#@ "security feature". :)
 
I have implemented this on Linux already using pam_cracklib. It was rather painless. For some reason pam_cracklib is not available in the UNIX port tree.

I'll take a look at the site you recommended and see if it helps. Otherwise, I think I'll try getting the LDAP server to work, and from there implement "ppolicy" on the LDAP to remember password history. I know it is a BS security feature, but it's a federal regulation, so I have to do it.
 
If my post was ambiguous:

pam_unix.png
 
You must log in or register to reply here.
Back
Top