Tim, please check your /etc/pam.d/system-auth with the password block.  If you 
see password    requisite     pam_cracklib.so, then this is why you are having 
a problem.

$ man pam_cracklib

It is a local security library for enforcing strong password practices from the 
unix cli.

ProTip:
If you don't need this, you can remove it from pam
If you want to work around this, set your password from the IPA webui or via 
the cli: "ipa passwd username"

Hope this info helps!

"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JR Aquino

Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester
jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>


[cid:image002.jpg@01CD4A37.5451DC00]

Powering mobile workstyles and cloud services





On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:

Hey all;

I'm running IPA internally to control access to our cloud environment.

I must admit, I do not understand the password requirements. I have had them 
set to the defaults. I read this:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html

I have the minimum character classes set to 0. When people use SSH to change 
their passwords, they get "Based on a dictionary word" for passwords that have 
nothing to do with dictionary words.

I can't find anywhere in the documentation a break down of what makes an 
unacceptable versus acceptable password.

Can anyone help me figure out what to tell my users? I think people would get a 
lot less frustrated if they knew why "C679V375" was "too simple" when the 
password policy has 0 required classes.

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

ps: funny exchange with user:
Jul 12 14:12:33 <user1> i feel like im being punked
Jul 12 14:12:40 <user1> it is based on a dictionary word
Jul 12 14:12:43 <user1> it is too short
Jul 12 14:12:49 <user1> is does not have enough unique letters
Jul 12 14:12:51 <user1> etc

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

<<inline: image002.jpg>>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to