How to set the password policy such that user cannot use any of the previous 3 passwords in CentOS/RHEL 6

Question: How to change the password policy on a system so that a user cannot choose any of the last 3 passwords previously used?

1. Make sure that the file /etc/security/opasswd has the default permission (600)

# ls -l /etc/security/opasswd
-rw------- 1 root root 116 Sep 8 14:52 /etc/security/opasswd

2. Ensure you backup the file /etc/pam.d/system-auth:

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.old

3. Modify the file /etc/pam.d/system-auth in vi editor and change the line containing:

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

as


password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3

Save and quit the editor (:wq!)

4. Then login as any non-root user and try changing the passwd using the passwd command, if you use the previous old password it will throw an error that “Password has been already used. Choose another.”

$ passwd
Changing password for user test.
Changing password for test.
(current) UNIX password:
New password:
Retype new password:
Password has been already used. Choose another.
Password: