Your organization's security baseline mandates using the pam_pwhistory module (not pam_unix) to block password recycling. On a Rocky Linux 9 server that relies only on local accounts, you must guarantee that every user - including root - cannot reuse any of their previous eight passwords. While editing /etc/pam.d/system-auth, which single PAM line, placed immediately after the existing pam_pwquality.so entry, will meet this requirement?
The correct directive must (1) call the pam_pwhistory module, because the baseline prohibits using pam_unix for history control, (2) set remember=8 so that the last eight passwords are stored and compared, and (3) include enforce_for_root so the check is applied to the root account as well. The line password required pam_pwhistory.so use_authtok remember=8 enforce_for_root satisfies all three conditions.
Other options fail for at least one reason: a pam_pwhistory line without enforce_for_root exempts root; a pam_unix line ignores the baseline that disallows that module; and a pam_pwquality line only evaluates password strength, not history, so it cannot prevent reuse.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is pam_pwhistory, and how does it differ from pam_unix?
Open an interactive chat with Bash
What does the `enforce_for_root` option in pam_pwhistory do?
Open an interactive chat with Bash
Why is pam_pwquality insufficient for password history enforcement?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access