[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Password requirements too stringent



On 09/19/2012 01:32 PM, Dmitri Pal wrote:
On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
So, commenting out:
password    requisite     pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

Caused users updating their passwords using ssh to get:

[ykatabam ykatabam ~]$ ssh ykatabam dns1 ecs-cloud lab eng bne redhat com
ykatabam dns1 ecs-cloud lab eng bne redhat com's password:
Permission denied, please try again.
ykatabam dns1 ecs-cloud lab eng bne redhat com's password:
Password expired. Change your password now.
Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ykatabam.
Current Password:
Password change failed. Server message: Password change failed
passwd: Authentication token manipulation error
Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something?
What did /var/log/secure have to say?

The message sounds to me like it's coming from the server..
Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.

BTW if required character classes == 1 there is nothing to enforce, because each (non-empty) password has at least one character class.

You can check if there is some difference between 0 and 1.

Petr^2 Spacek


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]