[Freeipa-users] Password requirements too stringent

Tim Hildred thildred at redhat.com
Wed Sep 19 07:15:41 UTC 2012 

Sep 19 11:40:43 dns1 sshd[11197]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
Sep 19 11:40:43 dns1 sshd[11197]: Accepted password for ykatabam from 10.64.48.102 port 47713 ssh2
Sep 19 11:40:43 dns1 sshd[11197]: pam_unix(sshd:session): session opened for user ykatabam by (uid=0)
Sep 19 11:40:43 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does not exist in /etc/passwd
Sep 19 11:41:21 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does not exist in /etc/passwd
Sep 19 11:41:22 dns1 sshd[11201]: Received disconnect from 10.64.48.102: 11: disconnected by user
Sep 19 11:41:22 dns1 sshd[11197]: pam_unix(sshd:session): session closed for user ykatabam
Sep 19 14:40:33 dns1 sshd[11113]: Received disconnect from 10.64.15.231: 11: disconnected by user

Looks like you're right Jakub. 

>From what I gather:
- the server requires a complex password in that cracklib.so, so it was suggested I take that "password requisite cracklib.so" out. 
- with that gone, it looks kind of like IPA doesn't come into the picture?

I uncommented that line, and now it all works again, but I'm back to really-stringent-password-requirement-town.

What next?
Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thildred at redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

----- Original Message -----
> From: "Jakub Hrozek" <jhrozek at redhat.com>
> To: "Tim Hildred" <thildred at redhat.com>
> Cc: freeipa-users at redhat.com
> Sent: Wednesday, September 19, 2012 4:56:42 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> > So, commenting out:
> > password    requisite     pam_cracklib.so try_first_pass retry=3
> > type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> > 
> > Caused users updating their passwords using ssh to get:
> > 
> > [ykatabam at ykatabam ~]$ ssh
> > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com
> > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> > Permission denied, please try again.
> > ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> > Password expired. Change your password now.
> > Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user ykatabam.
> > Current Password:
> > Password change failed. Server message: Password change failed
> > passwd: Authentication token manipulation error
> > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> > 
> > Is that to say that you need at least 1 password requisite? That
> > instead of commenting out the password requisite pam_cracklib.so,
> > I should have replaced it with something?
> 
> What did /var/log/secure have to say?
> 
> The message sounds to me like it's coming from the server..
>

More information about the Freeipa-users mailing list