Pam

Pam_unix

pam_unix - Module for traditional password authentication https://linux.die.net/man/8/pam_unix

You want to restrict Linux users from using previous 5 passwords when changing the password. As clarified over the chat, this is a system admin task outside of AWS scope of support. To assist you on best-effort basis, I found the link [1] with the steps to do the same. I was able to replicate it in my lab successfully using the following steps for Red Hat 7.8

1- Determine if the system is using pam_unix.so or pam_unix2.so files. My instance was using pam_unix.so

1. find / -iname "pam_unix.so"

/usr/lib64/security/pam_unix.so

2- Edit /etc/pam.d/system-auth and append remember=5 to the following password line

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

3- Set password aging - I skipped this step

4- Create the file /etc/security/opasswd and confirm its permissions:

1. [ ! -f /etc/security/opasswd ] && touch /etc/security/opasswd

1. ls -lZ /etc/security/opasswd

-rw-------. root root system_u:object_r:shadow_t:s0 /etc/security/opasswd

Then I switched my user to ec2-user and tried to change the password to the current one, and got an error:

$ passwd Changing password for user ec2-user. Changing password for ec2-user. (current) UNIX password: New password: BAD PASSWORD: The password is the same as the old one

[1] https://www.cyberciti.biz/tips/how-to-linux-prevent-the-reuse-of-old-passwords.html

Unable to login via console but you can SSH

I experienced this on RHEL7

If you are able to SSH into your VM over putty but you are unable to login via the console (in hyper-V, for example), you may get the error: FAILED LOGIN SESSION FROM tty1 FOR <user>, Module is unknown.

This issue likely due to the configuration of your /etc/pam.d/login file.

To fix this remove the following line from the /etc/pam.d/login file:

auth       required     pam_securid.so

Save the file and try again. It fixed the issue for me.