no old password was entered

Support for security such as Firewalls and securing linux
Post Reply
megoisme
Posts: 1
Joined: 2015/10/27 04:14:28

no old password was entered

Post by megoisme » 2016/08/01 05:02:10

Centos: 6.8
I want to create a password history using PAM.

but there are some issues,
- When changing the password for root/user, the error "gkr-pam: couldn't update the 'login' keyring password: no old password was entered" is seen.
- Password change works but error is logged. (/var/log/secure)

/etc/pam.d/system-auth

Code: Select all


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required 		pam_env.so
auth sufficient 	pam_unix.so nullok try_first_pass
auth requisite 		pam_succeed_if.so uid >= 500 quiet
auth required 		pam_deny.so

account required 	pam_unix.so
account sufficient 	pam_localuser.so
account sufficient 	pam_succeed_if.so uid < 500 quiet
account required 	pam_permit.so

password requisite 		pam_cracklib.so try_first_pass retry=3 type= dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2 minlen=8
password sufficient 	pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required 		pam_deny.so
password required       pam_pwhistory.so remember=5 use_authtok

session optional 				   pam_keyinit.so revoke
session required 				   pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required 				   pam_unix.so
/etc/pam.d/password-auth

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth 		required 	pam_env.so
auth 		required 	pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1800
auth 		sufficient 	pam_unix.so nullok try_first_pass
auth 		requisite	pam_succeed_if.so uid >= 500 quiet
auth 		required 	pam_deny.so

account 	required 	pam_unix.so
account 	required 	pam_tally2.so
account 	sufficient 	pam_localuser.so
account 	sufficient 	pam_succeed_if.so uid < 500 quiet
account 	required 	pam_permit.so

password 	requisite 		pam_cracklib.so try_first_pass retry=3 type=
password 	sufficient 		pam_unix.so use_authtok sha512 shadow remember=5
password 	required 	  	pam_deny.so
password  	required     	pam_pwhistory.so remember=5 use_authtok

session 	optional 		pam_keyinit.so revoke
session 	required 		pam_limits.so
session 	[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session 	required 		pam_unix.so
I think adding remember=5 in pam_unix.so is working :oops:, but old passwords not storing to /etc/security/opasswd (i was touch this file).

[root@mego~]# ls -lZ /etc/security/opasswd
-rw------- root root ? /etc/security/opasswd

Post Reply