I would like to prevent the use of last passwords and keeping password complexity.
But if I use pam_pwquality.so and pam_pwhistory.so at the same time, it doesn't work properly.
For example, I set a minimum length of 8 and disable the last two passwords in the system-auth file.
password requisite pam_pwquality.so local_users_only retry=3 minlen=8
password requisite pam_pwhistory.so remember=2 retry=3
If I enter the last password that meets the complexity, pwhistory blocks me, but after that, it is possible to change the password without complexity. -> Does the first module become invalid if the check passes to the second module?
The situation is similar when pwquality and pwhistory are reversed.
password requisite pam_pwhistory.so remember=2 retry=3
password requisite pam_pwquality.so local_users_only retry=3 minlen=8
It works as follows.
$passwd
Enter the last password -> failed by pwhistory module
Enter short password -> failed by pwquality module
Enter the last password -> success regardless of pwhistory module
Can't I check the complexity and the last password condition at the same time?
retry=1so that the password change attempt stops when anything fails? it looks like PAM is getting confused with the multiple attempts, I guess