Re: [Freeipa-users] Force IPA to accept password?
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On Thu, Sep 26, 2013 at 02:58:43PM +0100, Innes, Duncan wrote: Sorry, -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 26 September 2013 14:29 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/26/2013 01:05 PM, Innes, Duncan wrote: Hi, Can I force IPA to accept a new password that I have chosen? What password do you have in mind? A password of an IPA user? Yes - for my authentication when SSHing onto a Linux box. Today I've had to change my password in 2x AD domains and other places according to policy. I've done this. But coming to IPA, I find that I've chosen a BAD PASSWORD. Without getting into the merits of the AD password policy and the security of the password I've chosen, can I force IPA to accept my new password at all? Well, without getting into security of the approach, you could change the global password policy or group password policy so that the new password is accepted: $ ipa pwpolicy-mod --minlength=5 or $ ipa pwpolicy-add usergroup --minlength=5 ... to fix whatever failing password policy attribute. The error comes from a dictionary check I think. AD does as well as far as I know, but would appear to have a smaller dictionary or looser rules. Kind of what I expected/feared though. I don't want to change the IPA policy at all, just override it's objection. For now, I went the long route and changed my IPA password first, then changed the other passwords To match what IPA was happy with. Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Thanks HTH bye, Sumit HTH, Martin Cheers thanks for your help Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
On 09/27/2013 09:31 AM, Innes, Duncan wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? ... Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Eh, ok :-) BTW, you could also standard kpasswd, it should also avoid modules like pam_pwquality.so and only use the server policy. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
From: Martin Kosek [mailto:mko...@redhat.com] Sent: 27 September 2013 09:28 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/27/2013 09:31 AM, Innes, Duncan wrote: From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? ... Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Eh, ok :-) BTW, you could also standard kpasswd, it should also avoid modules like pam_pwquality.so and only use the server policy. Martin OK - this is opening my eyes somewhat. I know about the password policy section of IPA, but there doesn't appear to be anywhere to control the quality of the password. Is this done by PAM on the server? If it's not, how do I enforce things like ensuring at least 1 upper case, 1 lower case, 1 number and 1 special character? I don't see that in the docs. Would like to be able to ensure that the minimum password policy is centralised rather than perhaps having an erroneous strict policy on a few machines. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote: On 09/27/2013 09:31 AM, Innes, Duncan wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? ... Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Eh, ok :-) BTW, you could also standard kpasswd, it should also avoid modules like pam_pwquality.so and only use the server policy. Martin, pam_pwquality has an option called 'local_users_only'. According to bz849072 it should be set by default since F18 but it looks like it is not set in F19. Should we open a ticket to investigate it? bye, Sumit Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
On 09/27/2013 11:03 AM, Innes, Duncan wrote: From: Martin Kosek [mailto:mko...@redhat.com] Sent: 27 September 2013 09:28 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/27/2013 09:31 AM, Innes, Duncan wrote: From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? ... Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Eh, ok :-) BTW, you could also standard kpasswd, it should also avoid modules like pam_pwquality.so and only use the server policy. Martin OK - this is opening my eyes somewhat. I know about the password policy section of IPA, but there doesn't appear to be anywhere to control the quality of the password. Is this done by PAM on the server? If it's not, how do I enforce things like ensuring at least 1 upper case, 1 lower case, 1 number and 1 special character? I don't see that in the docs. This should help: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/user-pwdpolicy.html You can control character classes - if you set that for example to 3, password need to have at least: - one number, one lower-case char, one upper-case char OR - one number, one special char, one lower case char. You can also set minimal length. These 2 options should provide the settings you requested. Note that the policy is not related to PAM, it is required by an LDAP server plugin on FreeIPA server - so that it affect all possible password changes - like ldapasswd, passwd, kpasswd and others. Would like to be able to ensure that the minimum password policy is centralised rather than perhaps having an erroneous strict policy on a few machines. +1. You can set that centrally on server, you can even set different policies for different groups. It can just happen that pam_pwquality.so may interfere (as we found out) and add it's own password quality requirements on top of FreeIPA centralized ones. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
On 09/27/2013 11:14 AM, Sumit Bose wrote: On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote: On 09/27/2013 09:31 AM, Innes, Duncan wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? ... Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in about 3 months time :-) Eh, ok :-) BTW, you could also standard kpasswd, it should also avoid modules like pam_pwquality.so and only use the server policy. Martin, pam_pwquality has an option called 'local_users_only'. According to bz849072 it should be set by default since F18 but it looks like it is not set in F19. Should we open a ticket to investigate it? bye, Sumit Hmm, you are right. I found the original bug: https://bugzilla.redhat.com/show_bug.cgi?id=849072 ... and filed a new bug for Fedora 19 so that this can be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=1012854 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
On 09/26/2013 01:05 PM, Innes, Duncan wrote: Hi, Can I force IPA to accept a new password that I have chosen? What password do you have in mind? A password of an IPA user? Today I've had to change my password in 2x AD domains and other places according to policy. I've done this. But coming to IPA, I find that I've chosen a BAD PASSWORD. Without getting into the merits of the AD password policy and the security of the password I've chosen, can I force IPA to accept my new password at all? Well, without getting into security of the approach, you could change the global password policy or group password policy so that the new password is accepted: $ ipa pwpolicy-mod --minlength=5 or $ ipa pwpolicy-add usergroup --minlength=5 ... to fix whatever failing password policy attribute. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
Here's what I had to do: http://www.freeipa.org/page/PasswordSynchronization On Thu, Sep 26, 2013 at 10:35 AM, KodaK sako...@gmail.com wrote: As far as I can tell, password policy is enforced on the client side, not the directory side. I set up a self-service password reset utility which enforces its own rules and bypasses the IPA password policies. I used this one: http://ltb-project.org http://ltb-project.org/wiki/ I created a user that had the ability to create passwords, but IIRC there was some setting I had to change so that the passwords created didn't require a change. I'm pretty sure someone in this list told me how, so I'll search and see if I can find it. --Jason On Thu, Sep 26, 2013 at 8:58 AM, Innes, Duncan duncan.in...@virginmoney.com wrote: Sorry, -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 26 September 2013 14:29 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/26/2013 01:05 PM, Innes, Duncan wrote: Hi, Can I force IPA to accept a new password that I have chosen? What password do you have in mind? A password of an IPA user? Yes - for my authentication when SSHing onto a Linux box. Today I've had to change my password in 2x AD domains and other places according to policy. I've done this. But coming to IPA, I find that I've chosen a BAD PASSWORD. Without getting into the merits of the AD password policy and the security of the password I've chosen, can I force IPA to accept my new password at all? Well, without getting into security of the approach, you could change the global password policy or group password policy so that the new password is accepted: $ ipa pwpolicy-mod --minlength=5 or $ ipa pwpolicy-add usergroup --minlength=5 ... to fix whatever failing password policy attribute. The error comes from a dictionary check I think. AD does as well as far as I know, but would appear to have a smaller dictionary or looser rules. Kind of what I expected/feared though. I don't want to change the IPA policy at all, just override it's objection. For now, I went the long route and changed my IPA password first, then changed the other passwords To match what IPA was happy with. HTH, Martin Cheers thanks for your help Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Force IPA to accept password?
On Thu, Sep 26, 2013 at 02:58:43PM +0100, Innes, Duncan wrote: Sorry, -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 26 September 2013 14:29 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password? On 09/26/2013 01:05 PM, Innes, Duncan wrote: Hi, Can I force IPA to accept a new password that I have chosen? What password do you have in mind? A password of an IPA user? Yes - for my authentication when SSHing onto a Linux box. Today I've had to change my password in 2x AD domains and other places according to policy. I've done this. But coming to IPA, I find that I've chosen a BAD PASSWORD. Without getting into the merits of the AD password policy and the security of the password I've chosen, can I force IPA to accept my new password at all? Well, without getting into security of the approach, you could change the global password policy or group password policy so that the new password is accepted: $ ipa pwpolicy-mod --minlength=5 or $ ipa pwpolicy-add usergroup --minlength=5 ... to fix whatever failing password policy attribute. The error comes from a dictionary check I think. AD does as well as far as I know, but would appear to have a smaller dictionary or looser rules. Kind of what I expected/feared though. I don't want to change the IPA policy at all, just override it's objection. For now, I went the long route and changed my IPA password first, then changed the other passwords To match what IPA was happy with. Which command did you use to change the password? 'passwd' or 'ipa passwd'? If you use 'passwd' the PAM stack on the client for the passwd command comes into play which typically has some modules like pam_pwquality.so listed which do checks including dictionary checks. If you use 'ipa passwd' the password should be only validated against the server-side password policy Martin mentioned above. HTH bye, Sumit HTH, Martin Cheers thanks for your help Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users