Tim, please check your /etc/pam.d/system-auth with the password block.  If you 
see password    requisite     pam_cracklib.so, then this is why you are having 
a problem.

$ man pam_cracklib

It is a local security library for enforcing strong password practices from the 
unix cli.

If you don't need this, you can remove it from pam
If you want to work around this, set your password from the IPA webui or via 
the cli: "ipa passwd username"

Hope this info helps!

"Keeping your head in the cloud"
JR Aquino

Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester


Powering mobile workstyles and cloud services

On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:

Hey all;

I'm running IPA internally to control access to our cloud environment.

I must admit, I do not understand the password requirements. I have had them 
set to the defaults. I read this:

I have the minimum character classes set to 0. When people use SSH to change 
their passwords, they get "Based on a dictionary word" for passwords that have 
nothing to do with dictionary words.

I can't find anywhere in the documentation a break down of what makes an 
unacceptable versus acceptable password.

Can anyone help me figure out what to tell my users? I think people would get a 
lot less frustrated if they knew why "C679V375" was "too simple" when the 
password policy has 0 required classes.

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

ps: funny exchange with user:
Jul 12 14:12:33 <user1> i feel like im being punked
Jul 12 14:12:40 <user1> it is based on a dictionary word
Jul 12 14:12:43 <user1> it is too short
Jul 12 14:12:49 <user1> is does not have enough unique letters
Jul 12 14:12:51 <user1> etc

Freeipa-users mailing list

<<inline: image002.jpg>>

Freeipa-users mailing list

Reply via email to