Restrict Users to Use Old Passwords

As per title. I found the following:

This is very useful if you want to disallow users to use same old passwords. The old password file is located at /etc/security/opasswd . This can be achieved by using PAM module.

Open ‘ /etc/pam.d/system-auth ‘ file under RHEL / CentOS / Fedora .

Add the following line to ‘ auth ‘ section.

auth sufficient likeauth nullok

Add the following line to ‘ password ‘ section to disallow a user from re-using last 5 password of his or her.

password sufficient nullok use_authtok md5 shadow remember=5

Only last 5 passwords are remember by server. If you tried to use any of last 5 old passwords, you will get an error like.

Password has been already used. Choose another.


Any thoughts on this pls?


The article is a bit old: I’m wondering if this works with our SSSD configuration :thinking: