https://dikapediav2.com/wiki/index.php?action=history&feed=atom&title=PamPam - Revision history2026-05-15T09:20:45ZRevision history for this page on the wikiMediaWiki 1.41.0https://dikapediav2.com/wiki/index.php?title=Pam&diff=146&oldid=prevArdika Sulistija: Created page with " ====Pam_unix==== pam_unix - Module for traditional password authentication https://linux.die.net/man/8/pam_unix You want to restrict Linux users from using previous 5 passwords when changing the password. As clarified over the chat, this is a system admin task outside of AWS scope of support. To assist you on best-effort basis, I found the link [1] with the steps to do the same. I was able to replicate it in my lab successfully using the following steps for Red Hat..."2024-09-11T14:19:55Z<p>Created page with " ====Pam_unix==== pam_unix - Module for traditional password authentication https://linux.die.net/man/8/pam_unix You want to restrict Linux users from using previous 5 passwords when changing the password. As clarified over the chat, this is a system admin task outside of AWS scope of support. To assist you on best-effort basis, I found the link [1] with the steps to do the same. I was able to replicate it in my lab successfully using the following steps for Red Hat..."</p>
<p><b>New page</b></p><div><br />
====Pam_unix====<br />
<br />
pam_unix - Module for traditional password authentication <br />
https://linux.die.net/man/8/pam_unix<br />
<br />
<br />
You want to restrict Linux users from using previous 5 passwords when changing the password. As clarified over the chat, this is a system admin task outside of AWS scope of support. To assist you on best-effort basis, I found the link [1] with the steps to do the same. I was able to replicate it in my lab successfully using the following steps for Red Hat 7.8<br />
<br />
1- Determine if the system is using pam_unix.so or pam_unix2.so files. My instance was using pam_unix.so<br />
<br />
# find / -iname "pam_unix.so"<br />
/usr/lib64/security/pam_unix.so<br />
<br />
2- Edit /etc/pam.d/system-auth and append remember=5 to the following password line<br />
<br />
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5<br />
<br />
3- Set password aging - I skipped this step<br />
<br />
4- Create the file /etc/security/opasswd and confirm its permissions:<br />
<br />
# [ ! -f /etc/security/opasswd ] && touch /etc/security/opasswd<br />
<br />
#ls -lZ /etc/security/opasswd<br />
-rw-------. root root system_u:object_r:shadow_t:s0 /etc/security/opasswd<br />
<br />
Then I switched my user to ec2-user and tried to change the password to the current one, and got an error:<br />
<br />
$ passwd<br />
Changing password for user ec2-user.<br />
Changing password for ec2-user.<br />
(current) UNIX password: <br />
New password: <br />
BAD PASSWORD: The password is the same as the old one<br />
<br />
<br />
<br />
[1] https://www.cyberciti.biz/tips/how-to-linux-prevent-the-reuse-of-old-passwords.html<br />
<br />
<br />
====Unable to login via console but you can SSH====<br />
----<br />
<br />
I experienced this on RHEL7<br />
<br />
If you are able to SSH into your VM over putty but you are unable to login via the console (in hyper-V, for example), you may get the error: <b>FAILED LOGIN SESSION FROM tty1 FOR <user>, Module is unknown</b>.<br />
<br />
This issue likely due to the configuration of your <b>/etc/pam.d/login</b> file.<br />
<br />
To fix this remove the following line from the <b>/etc/pam.d/login</b> file:<br />
auth required pam_securid.so<br />
<br />
Save the file and try again. It fixed the issue for me.</div>Ardika Sulistija