Ubuntu – How to prevent users from changing their password to one of the last X passwords

gnomepasswordSecurity

I have an Ubuntu GNOME 15.10 with GNOME 3.18 system which I would like to set up so that the users using it cannot set a new password as one of the previous X passwords, how can this be achieved?

When I change my password, if it is too similar to my last my system does not allow me to change it to that password, it would be good if the answer could also show how to extend this so that the new password can also not be too similar to the previous X recorded passwords.

Note: The history of the last X passwords should not be stored in an insecure unencrypted manner, in fact they should probably be stored in the same or similar way to the way in which the current password is stored (as a salted hash).

I have used X to represent the number of passwords (this could be any value) because I want to be able to easily change the amount of passwords stored which cannot be used, and also so that others can easily take the answer and use it as they wish rather than having an answer which revolves around a very set value for X.

Information Update:

As requested here is the contents of my (excluding the comments at the top) /etc/pam.d/common-password file:

# here are the per-package modules (the "Primary" block)
password        [success=1 default=ignore]      pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional        pam_gnome_keyring.so
# end of pam-auth-update config

Best Answer

You can configure PAM to do this for you. Just open /etc/pam.d/common-password and append use_authtok to the first password line (the one which calls the pam_unix module) so that it looks somewhat like this:

password    [success=1 default=ignore]  pam_unix.so obscure sha512 use_authtok

Now add this line above the previously modified line:

password    required    pam_pwhistory.so  remember=X

where X is the number of previous passwords against which you want to check for a repeating password.

Here the previous X passwords will be stored in hashed form at the location /etc/security/opasswd

So you need to create the file if and only if it does not exist and assign it permission 600 (-rw-------):

sudo touch /etc/security/opasswd
sudo chmod 600 /etc/security/opasswd

Related Solutions

Ubuntu – Unlock all private keys on Ubuntu, entering password only once at login

1) After Creating the Public Key By Following,

The first step involves creating a set of RSA keys for use in authentication. This should be done on the client. To create your public and private SSH keys on the command-line:

mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa

You will be prompted for a location to save the keys, and a passphrase for the keys. This passphrase will protect your private key while it's stored on the hard drive and be required to use the keys every time you need to login to a key-based system:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/b/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/b/.ssh/id_rsa.
Your public key has been saved in /home/b/.ssh/id_rsa.pub.

2) You must add your private key (might be not secure) but still you can do this,

ssh-add ~/.ssh/id_rsa

Source From Ubuntu Wiki.

Ubuntu – Password does not work for everything “anymore”!

First, let's try your account from the console. WRITE DOWN THESE DIRECTIONS BEFORE BEGINNING - you won't be able to read from here once you start.

Press Ctrl-Alt-F1. This will bring you to a text only console. Log in with your username and password. Once you've accomplished that, do sudo -s, and give it your password again. After doing that, press Press Ctrl-Alt-F7. This will bring you back to the usual graphical screen you're used to.

Were you able to log in at the shell? Were you able to successfully sudo to root (did the prompt change to root@yourmachine:~#)?

OK. You've done this, and you cannot log in at all. So, you will need to reset the password for your username. First, try doing CtrlAltT to bring up the Terminal. Type in passwd and hit enter. Will it allow you to change your password? If so, you should be good. If not, you'll need to boot to single user mode in order to reset your password.

If you could not change your password, let's get into Recovery Mode. Reboot the system, and at the GNU GRUB menu, press down arrow, and select (recovery mode) as shown here:

Grub Menu

Now, drop to root shell prompt:

enter image description here

OK, now you'll need to remount your root filesystem read-write, and then you can change your password:

root@yourmachine:~# mount -o remount,rw /
root@yourmachine:~# passwd yourname
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@yourmachine:~# exit

NOTE: you may be confused about what your actual username is - it's not necessarily the same thing you see at the Ubuntu login prompt! For example, I see "Jim Salter" when I log into my workstation, but my actual username is something completely different and much shorter. If your system tells you there is no such user, you can do less /etc/passwd to look for your actual account name - it should be towards the end of the file. Mine looks something like this:

myrealusername:x:1000:1000:Jim Salter,,,:/home/myrealusername:/bin/bash

Once you've successfully changed the password on your account, exit, "resume normal boot", and log in as normal, with shiny new (working!) password.

Best Answer

Related Solutions

Ubuntu – Unlock all private keys on Ubuntu, entering password only once at login

Ubuntu – Password does not work for everything “anymore”!

Related Question