# Remembering Password History with passwdqc



## Aerospaztic (Apr 25, 2011)

I'm working in a government lab and am required to set up password history so that no password can be used twice for 24 generations.  This works perfectly with pam_cracklib on Ubuntu, but that is not available in FreeBSD.  Some say it is not possible to use passwdqc to implement password history requirements, but seeing that passwdqc was developed by DARPA, who has the same requirements that I do, I'm not really believing that there is no way to get the history in there somewhere.

Any suggestions?


----------



## anomie (Apr 25, 2011)

Probably more than you bargained for, but read this bit of insight on pam_passwdqc(8) and password histories: 

http://www.openwall.com/lists/owl-users/2007/06/24/1

Anyway, try a quick 'net search for "pam_passwdqc history". It appears you can stack pam_passwdqc(8) with pam_unix(8) to solve the problem - at least on Linux-PAM. I don't see a *remember* directive documented for UNIX PAM. 

FWIW, I'm going to agree with Solar Designer on this one. It's a bull$%#@ "security feature".


----------



## Aerospaztic (Apr 26, 2011)

I have implemented this on Linux already using pam_cracklib. It was rather painless.  For some reason pam_cracklib is not available in the UNIX port tree.  

I'll take a look at the site you recommended and see if it helps.  Otherwise, I think I'll try getting the LDAP server to work, and from there implement "ppolicy" on the LDAP to remember password history.  I know it is a BS security feature, but it's a federal regulation, so I have to do it.


----------



## phoenix (Apr 27, 2011)

Note:  FreeBSD uses OpenPAM, not Unix PAM.  You may want to ask on their mailing list.


----------



## anomie (Apr 27, 2011)

If my post was ambiguous:


----------

