Clearing Password History in Solaris 10
With later releases of the Solaris 10 OE introduces a new parameter
HISTORY into the
/etc/default/password file. This parameter keeps the previous users passwords to prevent password recycling.
If password history is set and you attempt to reuse a previously used password you receive the following:
# passwd mchurchi New Password: passwd: Password in history list. Please try again New Password:
To determine if password history is set, simply check for the
HISTORY keyword in the
# grep "^HISTORY=" /etc/default/password HISTORY=15
From the above output, password history has been enabled and the last 15 passwords will be remembered for each user.
HISTORY - Determines the length of the history buffer used to ensure that passwords are not repeated within a certain length of time. Setting HISTORY to 12 or 24 is probably good, but you also need to consider how long a new password would have to be kept to determine how long a user would have to wait to reuse a password. If HISTORY were set to 12, but MINWEEKS (see below) set to 0, a person could change his password twelve times in succession and get back to the original.
To disable password history, simply change the
HISTORY value to
Review article Enforcing password complexity on Solaris for more details on Solaris password options and settings
Clearing Password history
However, occasionally one has to violate best practice to clear password history... here is how to do it:
- Grant write permissions to the password history file:
# chmod 600 /etc/security/passhistory
- You can check if the user currently has password history:
# grep "^mchurchi" /etc/security/passhistory mchurchi:$2a$04$A.vGapPSCtbmXj3B9hYK..7fkgJqpg3YKXFoOt1T.YLBk0xw5p9E.:aMPK0ug.Syoag:Lp145TNOHmdlFrom the above output we confirm that this user has password history entries.
- Now, edit the file
/etc/security/passhistoryand delete the entire line for the users account you wish to change
- Reset permissions to read-only for root user on the password history file:
# chmod 400 /etc/security/passhistory