Pluggable Authentication Modules (PAM)
Pluggable Authentication Modules (PAM) is a suite of shared libraries, providing an abstraction layer between the various methods available that provide authentication and the applications that require authentication and would otherwise have to support those methods directly. With PAM, all that is necessary for these components to cooperate is that a specific PAM module be available for each of them.
Never reuse old passwords ever. .
To restrict users from using their old passwords on the same machine, in the
auth section, enter the following line:
auth sufficient pam_unix.so likeauth nullok
If you want to allow a user to reuse his/her password from a number of passwords that were last used, add the following line in the
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=3
pam_listfile.so module authenticates users based on the contents of a specified file. For example, if username exists in a file
/etc/ssh/ssh.allow, ssh will grant login access.
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh.deny onerr=succeed
Add all usernames you wish to deny access for to a
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/ssh.allow onerr=fail
Add all usernames to allow access for to a
SASL can use different authentication methods. The default one is PAM (as configured in
#%PAM-1.0 auth required pam_unix.so account required pam_unix.so