pam_cracklib password history

lists at trcintl.com lists at trcintl.com
Tue Mar 27 19:40:20 UTC 2007 

I have been attempting to enable pam_cracklib to check a password in a password history file with no luck.  No matter what I seem to try, nothing is ever added to the opasswd file.  I have tried this on several stations with no luck so I must be missing something.  I have been following the documentation a the following URL:
www.deer-run.com/~hal/sysadmin/pam_cracklib.html

The problem is I can't seem to get it to work.  So, I loaded up a test machine from scratch using RHEL 4.4 with all updates as of 3-14-07.  I then did the following:

1.)  touch /etc/security/opasswd	{creates the necessary old password file}
2.)  chown root:root /etc/security/opasswd
3.)  chmod 600 /etc/security/opasswd
Note I have opened the permissions up on this file for testing with no more luck.
4.)  I modified the system-auth file which I'm pretty sure is the file this flavor of Linux uses with the following line:
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12


Here is the entire file.  The only thing changed from the default file is the line above.  I simply added remember=12 to it.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

If I change the line above from sufficient to required as in the example on the site referenced above such as follows:
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12

I then get the error:
passwd:  Authentication token manipulation error
{This tells me I must be editing the correct file}

What do I need to do to create the password history file using pam_cracklib?

More information about the Pam-list mailing list