Prevent changing password to an older password 1

[Kiehlster]

Hello all,

At my job, we're working to get certified with VISA, and one criteria is that we have a 90-day password expiration time, and we must also prevent people from changing the password to any of their last 4 old passwords.

I'm running samba with ldap on freebsd. I know how to make the password expire in 90 days, but is there a way, or does smbldap already prevent users from changing their password to one of their old passwords?

Steve Kiehl
Web Page Designer - Nanovox Productions
Fantasy Artist - Zeadi

 

[rzs0502]

I believe Samba 3.0.6 added support for checking password history / logon times etc

1. Create the old password file with the command
# touch /etc/security/opasswd

2. Edit /etc/pam.d/system-auth and add the following pam_unix parameter "remember=3".

Cracklib will automatically check /etc/security/opasswd and will not allow any of the passwords listed to be used again. This means that you must have pam_cracklib stacked before your pam_unix module (which is the default).

You should have the 'pam password change = yes' in
your smb.conf, this way samba will use pam to change
the password instead of running the passwd chat


"If you always do what you've always done, you will always be where you've always been."

 

[ericbrunson]

Very cool info. The policy is stupid and flawed, but that's beside the point. rzs0502, here's a star.