So, commenting out: 
password    requisite     pam_cracklib.so try_first_pass retry=3 type= 
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

Caused users updating their passwords using ssh to get:

[ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Permission denied, please try again.
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Password expired. Change your password now.
Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ykatabam.
Current Password:
Password change failed. Server message: Password change failed
passwd: Authentication token manipulation error
Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Is that to say that you need at least 1 password requisite? That instead of 
commenting out the password requisite pam_cracklib.so, I should have replaced 
it with something?

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

----- Original Message -----
> From: "Jakub Hrozek" <jhro...@redhat.com>
> To: freeipa-users@redhat.com
> Sent: Tuesday, September 18, 2012 5:29:12 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> On Tue, Sep 18, 2012 at 02:57:49AM +0000, JR Aquino wrote:
> > 
> > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:
> > 
> > > JR
> > > 
> > > I had that line. I commented it out. Thank you.
> > > 
> > > Now, what do I have to restart?
> > 
> > I believe it should take effect in real time, but you may need to
> > test to be sure.  If it is still happening, you may need to double
> > check that some other pam cfg doesn't also have it present: $ cd
> > /etc/pam.d/ && grep pam_cracklib *
> > 
> > If you have removed it from everything and it is still giving you
> > the same error, then I would try a reboot... perhaps getty needs
> > to reinitialize or something.  But I'd try those steps before a
> > reboot!
> > 
> > ;)
> > 
> 
> Some services, notably the sshd, must be restarted in order to
> re-read
> the PAM config.
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to