Re: [Freeipa-users] Password requirements too stringent

2012-09-19 Thread Tim Hildred 
p 20 13:24:17 dns1 sshd[12317]: Received disconnect from 10.64.0.171: 11: 
disconnected by user
Sep 20 13:24:17 dns1 sshd[12314]: pam_unix(sshd:session): session closed for 
user timbo
Sep 20 13:25:02 dns1 sshd[12279]: Received signal 15; terminating.
Sep 20 13:25:02 dns1 sshd[12360]: Server listening on 0.0.0.0 port 22.
Sep 20 13:25:02 dns1 sshd[12360]: Server listening on :: port 22.
Sep 20 13:25:25 dns1 sshd[12362]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com  user=timbo
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): system info: [Password 
has expired]
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): received for user timbo: 
12 (Authentication token is no longer valid; new one required)
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 20 13:25:26 dns1 sshd[12362]: Accepted password for timbo from 10.64.0.171 
port 55426 ssh2
Sep 20 13:25:26 dns1 sshd[12362]: pam_unix(sshd:session): session opened for 
user timbo by (uid=0)
Sep 20 13:25:26 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:25:28 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic 
error (see e-text)]
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): User info message: 
Password change failed. Server message: Password change failed
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed 
for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:25:31 dns1 sshd[12366]: Received disconnect from 10.64.0.171: 11: 
disconnected by user
Sep 20 13:25:31 dns1 sshd[12362]: pam_unix(sshd:session): session closed for 
user timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com  user=timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): system info: [Password 
has expired]
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): received for user timbo: 
12 (Authentication token is no longer valid; new one required)
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 20 13:25:58 dns1 sshd[12371]: Accepted password for timbo from 10.64.0.171 
port 55429 ssh2
Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:session): session opened for 
user timbo by (uid=0)
Sep 20 13:25:58 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:26:01 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not 
exist in /etc/passwd
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic 
error (see e-text)]
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): User info message: 
Password change failed. Server message: Password change failed
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed 
for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:26:04 dns1 sshd[12374]: Received disconnect from 10.64.0.171: 11: 
disconnected by user
Sep 20 13:26:04 dns1 sshd[12371]: pam_unix(sshd:session): session closed for 
user timbo

Any ideas?


Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

- Original Message -
> From: "Petr Spacek" 
> To: freeipa-users@redhat.com
> Sent: Wednesday, September 19, 2012 9:56:21 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> On 09/19/2012 01:32 PM, Dmitri Pal wrote:
> > On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
> >> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> >>> So, commenting out:
> >>> passwordrequisite pam_cracklib.so try_first_pass retry=3
> >>> type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> >>>
> >>> Caused users updating their passwords using ssh to get:
> >>>
> >>> [ykatabam@ykatabam ~]$ ssh
> >>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
> >>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> >>> Permission denied, please try again.
> >>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> >>> Password expired. Change your password no

Re: [Freeipa-users] Password requirements too stringent

2012-09-19 Thread Petr Spacek 

On 09/19/2012 01:32 PM, Dmitri Pal wrote:

On 09/19/2012 02:56 AM, Jakub Hrozek wrote:

On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:

So, commenting out:
passwordrequisite pam_cracklib.so try_first_pass retry=3 type= 
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

Caused users updating their passwords using ssh to get:

[ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Permission denied, please try again.
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Password expired. Change your password now.
Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ykatabam.
Current Password:
Password change failed. Server message: Password change failed
passwd: Authentication token manipulation error
Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Is that to say that you need at least 1 password requisite? That instead of 
commenting out the password requisite pam_cracklib.so, I should have replaced 
it with something?

What did /var/log/secure have to say?

The message sounds to me like it's coming from the server..

Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.


BTW if required character classes == 1 there is nothing to enforce, because 
each (non-empty) password has at least one character class.


You can check if there is some difference between 0 and 1.

Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-19 Thread Dmitri Pal 
On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
>> So, commenting out: 
>> passwordrequisite pam_cracklib.so try_first_pass retry=3 type= 
>> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
>>
>> Caused users updating their passwords using ssh to get:
>>
>> [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Permission denied, please try again.
>> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Password expired. Change your password now.
>> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
>> WARNING: Your password has expired.
>> You must change your password now and login again!
>> Changing password for user ykatabam.
>> Current Password:
>> Password change failed. Server message: Password change failed
>> passwd: Authentication token manipulation error
>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
>>
>> Is that to say that you need at least 1 password requisite? That instead of 
>> commenting out the password requisite pam_cracklib.so, I should have 
>> replaced it with something?
> What did /var/log/secure have to say?
>
> The message sounds to me like it's coming from the server..
Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.

>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-19 Thread Tim Hildred 
Sep 19 11:40:43 dns1 sshd[11197]: pam_sss(sshd:account): User info message: 
Password expired. Change your password now.
Sep 19 11:40:43 dns1 sshd[11197]: Accepted password for ykatabam from 
10.64.48.102 port 47713 ssh2
Sep 19 11:40:43 dns1 sshd[11197]: pam_unix(sshd:session): session opened for 
user ykatabam by (uid=0)
Sep 19 11:40:43 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does 
not exist in /etc/passwd
Sep 19 11:41:21 dns1 passwd: pam_unix(passwd:chauthtok): user "ykatabam" does 
not exist in /etc/passwd
Sep 19 11:41:22 dns1 sshd[11201]: Received disconnect from 10.64.48.102: 11: 
disconnected by user
Sep 19 11:41:22 dns1 sshd[11197]: pam_unix(sshd:session): session closed for 
user ykatabam
Sep 19 14:40:33 dns1 sshd[3]: Received disconnect from 10.64.15.231: 11: 
disconnected by user

Looks like you're right Jakub. 

>From what I gather:
- the server requires a complex password in that cracklib.so, so it was 
suggested I take that "password requisite cracklib.so" out. 
- with that gone, it looks kind of like IPA doesn't come into the picture?

I uncommented that line, and now it all works again, but I'm back to 
really-stringent-password-requirement-town.

What next?
Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

- Original Message -
> From: "Jakub Hrozek" 
> To: "Tim Hildred" 
> Cc: freeipa-users@redhat.com
> Sent: Wednesday, September 19, 2012 4:56:42 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> > So, commenting out:
> > passwordrequisite pam_cracklib.so try_first_pass retry=3
> > type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> > 
> > Caused users updating their passwords using ssh to get:
> > 
> > [ykatabam@ykatabam ~]$ ssh
> > ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
> > ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> > Permission denied, please try again.
> > ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> > Password expired. Change your password now.
> > Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user ykatabam.
> > Current Password:
> > Password change failed. Server message: Password change failed
> > passwd: Authentication token manipulation error
> > Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> > 
> > Is that to say that you need at least 1 password requisite? That
> > instead of commenting out the password requisite pam_cracklib.so,
> > I should have replaced it with something?
> 
> What did /var/log/secure have to say?
> 
> The message sounds to me like it's coming from the server..
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-19 Thread Jakub Hrozek 
On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> So, commenting out: 
> passwordrequisite pam_cracklib.so try_first_pass retry=3 type= 
> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> 
> Caused users updating their passwords using ssh to get:
> 
> [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> Permission denied, please try again.
> ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> Password expired. Change your password now.
> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user ykatabam.
> Current Password:
> Password change failed. Server message: Password change failed
> passwd: Authentication token manipulation error
> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> 
> Is that to say that you need at least 1 password requisite? That instead of 
> commenting out the password requisite pam_cracklib.so, I should have replaced 
> it with something?

What did /var/log/secure have to say?

The message sounds to me like it's coming from the server..

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-18 Thread Tim Hildred 
So, commenting out: 
passwordrequisite pam_cracklib.so try_first_pass retry=3 type= 
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

Caused users updating their passwords using ssh to get:

[ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Permission denied, please try again.
ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
Password expired. Change your password now.
Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ykatabam.
Current Password:
Password change failed. Server message: Password change failed
passwd: Authentication token manipulation error
Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.

Is that to say that you need at least 1 password requisite? That instead of 
commenting out the password requisite pam_cracklib.so, I should have replaced 
it with something?

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

- Original Message -
> From: "Jakub Hrozek" 
> To: freeipa-users@redhat.com
> Sent: Tuesday, September 18, 2012 5:29:12 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> On Tue, Sep 18, 2012 at 02:57:49AM +, JR Aquino wrote:
> > 
> > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:
> > 
> > > JR
> > > 
> > > I had that line. I commented it out. Thank you.
> > > 
> > > Now, what do I have to restart?
> > 
> > I believe it should take effect in real time, but you may need to
> > test to be sure.  If it is still happening, you may need to double
> > check that some other pam cfg doesn't also have it present: $ cd
> > /etc/pam.d/ && grep pam_cracklib *
> > 
> > If you have removed it from everything and it is still giving you
> > the same error, then I would try a reboot... perhaps getty needs
> > to reinitialize or something.  But I'd try those steps before a
> > reboot!
> > 
> > ;)
> > 
> 
> Some services, notably the sshd, must be restarted in order to
> re-read
> the PAM config.
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-18 Thread Jakub Hrozek 
On Tue, Sep 18, 2012 at 02:57:49AM +, JR Aquino wrote:
> 
> On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:
> 
> > JR
> > 
> > I had that line. I commented it out. Thank you.
> > 
> > Now, what do I have to restart?
> 
> I believe it should take effect in real time, but you may need to test to be 
> sure.  If it is still happening, you may need to double check that some other 
> pam cfg doesn't also have it present: $ cd /etc/pam.d/ && grep pam_cracklib *
> 
> If you have removed it from everything and it is still giving you the same 
> error, then I would try a reboot... perhaps getty needs to reinitialize or 
> something.  But I'd try those steps before a reboot!
> 
> ;)
> 

Some services, notably the sshd, must be restarted in order to re-read
the PAM config.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-17 Thread JR Aquino 

On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:

> JR
> 
> I had that line. I commented it out. Thank you.
> 
> Now, what do I have to restart?

I believe it should take effect in real time, but you may need to test to be 
sure.  If it is still happening, you may need to double check that some other 
pam cfg doesn't also have it present: $ cd /etc/pam.d/ && grep pam_cracklib *

If you have removed it from everything and it is still giving you the same 
error, then I would try a reboot... perhaps getty needs to reinitialize or 
something.  But I'd try those steps before a reboot!

;)

> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thild...@redhat.com
> Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
> 
> - Original Message -
>> From: "JR Aquino" 
>> To: "Tim Hildred" 
>> Cc: "freeipa-users" 
>> Sent: Tuesday, September 18, 2012 12:37:48 PM
>> Subject: Re: [Freeipa-users] Password requirements too stringent
>> 
>> Tim, please check your /etc/pam.d/system-auth with the password
>> block.  If you see passwordrequisite pam_cracklib.so, then
>> this is why you are having a problem.
>> 
>> $ man pam_cracklib
>> 
>> It is a local security library for enforcing strong password
>> practices from the unix cli.
>> 
>> ProTip:
>> If you don't need this, you can remove it from pam
>> If you want to work around this, set your password from the IPA webui
>> or via the cli: "ipa passwd username"
>> 
>> Hope this info helps!
>> 
>> "Keeping your head in the cloud"
>> ~
>> JR Aquino
>> 
>> Senior Information Security Specialist, Technical Operations
>> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
>> GIAC Certified Incident Handler | GIAC WebApplication Penetration
>> Tester
>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>
>> 
>> 
>> [cid:image002.jpg@01CD4A37.5451DC00]
>> 
>> Powering mobile workstyles and cloud services
>> 
>> 
>> 
>> 
>> 
>> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:
>> 
>> Hey all;
>> 
>> I'm running IPA internally to control access to our cloud
>> environment.
>> 
>> I must admit, I do not understand the password requirements. I have
>> had them set to the defaults. I read this:
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html
>> 
>> I have the minimum character classes set to 0. When people use SSH to
>> change their passwords, they get "Based on a dictionary word" for
>> passwords that have nothing to do with dictionary words.
>> 
>> I can't find anywhere in the documentation a break down of what makes
>> an unacceptable versus acceptable password.
>> 
>> Can anyone help me figure out what to tell my users? I think people
>> would get a lot less frustrated if they knew why "C679V375" was "too
>> simple" when the password policy has 0 required classes.
>> 
>> Tim Hildred, RHCE
>> Content Author II - Engineering Content Services, Red Hat, Inc.
>> Brisbane, Australia
>> Email: thild...@redhat.com
>> Internal: 8588287
>> Mobile: +61 4 666 25242
>> IRC: thildred
>> 
>> ps: funny exchange with user:
>> Jul 12 14:12:33  i feel like im being punked
>> Jul 12 14:12:40  it is based on a dictionary word
>> Jul 12 14:12:43  it is too short
>> Jul 12 14:12:49  is does not have enough unique letters
>> Jul 12 14:12:51  etc
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-17 Thread Tim Hildred 
JR

I had that line. I commented it out. Thank you.

Now, what do I have to restart?

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

- Original Message -
> From: "JR Aquino" 
> To: "Tim Hildred" 
> Cc: "freeipa-users" 
> Sent: Tuesday, September 18, 2012 12:37:48 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
> 
> Tim, please check your /etc/pam.d/system-auth with the password
> block.  If you see passwordrequisite pam_cracklib.so, then
> this is why you are having a problem.
> 
> $ man pam_cracklib
> 
> It is a local security library for enforcing strong password
> practices from the unix cli.
> 
> ProTip:
> If you don't need this, you can remove it from pam
> If you want to work around this, set your password from the IPA webui
> or via the cli: "ipa passwd username"
> 
> Hope this info helps!
> 
> "Keeping your head in the cloud"
> ~
> JR Aquino
> 
> Senior Information Security Specialist, Technical Operations
> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
> GIAC Certified Incident Handler | GIAC WebApplication Penetration
> Tester
> jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>
> 
> 
> [cid:image002.jpg@01CD4A37.5451DC00]
> 
> Powering mobile workstyles and cloud services
> 
> 
> 
> 
> 
> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:
> 
> Hey all;
> 
> I'm running IPA internally to control access to our cloud
> environment.
> 
> I must admit, I do not understand the password requirements. I have
> had them set to the defaults. I read this:
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html
> 
> I have the minimum character classes set to 0. When people use SSH to
> change their passwords, they get "Based on a dictionary word" for
> passwords that have nothing to do with dictionary words.
> 
> I can't find anywhere in the documentation a break down of what makes
> an unacceptable versus acceptable password.
> 
> Can anyone help me figure out what to tell my users? I think people
> would get a lot less frustrated if they knew why "C679V375" was "too
> simple" when the password policy has 0 required classes.
> 
> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thild...@redhat.com
> Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
> 
> ps: funny exchange with user:
> Jul 12 14:12:33  i feel like im being punked
> Jul 12 14:12:40  it is based on a dictionary word
> Jul 12 14:12:43  it is too short
> Jul 12 14:12:49  is does not have enough unique letters
> Jul 12 14:12:51  etc
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-17 Thread JR Aquino 
Tim, please check your /etc/pam.d/system-auth with the password block.  If you 
see passwordrequisite pam_cracklib.so, then this is why you are having 
a problem.

$ man pam_cracklib

It is a local security library for enforcing strong password practices from the 
unix cli.

ProTip:
If you don't need this, you can remove it from pam
If you want to work around this, set your password from the IPA webui or via 
the cli: "ipa passwd username"

Hope this info helps!

"Keeping your head in the cloud"
~
JR Aquino

Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester
jr.aqu...@citrix.com


[cid:image002.jpg@01CD4A37.5451DC00]

Powering mobile workstyles and cloud services





On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:

Hey all;

I'm running IPA internally to control access to our cloud environment.

I must admit, I do not understand the password requirements. I have had them 
set to the defaults. I read this:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html

I have the minimum character classes set to 0. When people use SSH to change 
their passwords, they get "Based on a dictionary word" for passwords that have 
nothing to do with dictionary words.

I can't find anywhere in the documentation a break down of what makes an 
unacceptable versus acceptable password.

Can anyone help me figure out what to tell my users? I think people would get a 
lot less frustrated if they knew why "C679V375" was "too simple" when the 
password policy has 0 required classes.

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

ps: funny exchange with user:
Jul 12 14:12:33  i feel like im being punked
Jul 12 14:12:40  it is based on a dictionary word
Jul 12 14:12:43  it is too short
Jul 12 14:12:49  is does not have enough unique letters
Jul 12 14:12:51  etc

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password requirements too stringent

2012-09-17 Thread Steven Jones 
Maybe its the local system having requirements and not IPA?

In my secure logs I see pam is quering first locally and then the sss 
daemonmaybe its failing you on the default rh setup of the OS?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Tim Hildred [thild...@redhat.com]
Sent: Tuesday, 18 September 2012 1:25 p.m.
To: freeipa-users
Subject: [Freeipa-users] Password requirements too stringent

Hey all;

I'm running IPA internally to control access to our cloud environment.

I must admit, I do not understand the password requirements. I have had them 
set to the defaults. I read this:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html

I have the minimum character classes set to 0. When people use SSH to change 
their passwords, they get "Based on a dictionary word" for passwords that have 
nothing to do with dictionary words.

I can't find anywhere in the documentation a break down of what makes an 
unacceptable versus acceptable password.

Can anyone help me figure out what to tell my users? I think people would get a 
lot less frustrated if they knew why "C679V375" was "too simple" when the 
password policy has 0 required classes.

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

ps: funny exchange with user:
Jul 12 14:12:33  i feel like im being punked
Jul 12 14:12:40  it is based on a dictionary word
Jul 12 14:12:43  it is too short
Jul 12 14:12:49  is does not have enough unique letters
Jul 12 14:12:51  etc

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Password requirements too stringent

2012-09-17 Thread Tim Hildred 
Hey all;

I'm running IPA internally to control access to our cloud environment. 

I must admit, I do not understand the password requirements. I have had them 
set to the defaults. I read this:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html

I have the minimum character classes set to 0. When people use SSH to change 
their passwords, they get "Based on a dictionary word" for passwords that have 
nothing to do with dictionary words. 

I can't find anywhere in the documentation a break down of what makes an 
unacceptable versus acceptable password. 

Can anyone help me figure out what to tell my users? I think people would get a 
lot less frustrated if they knew why "C679V375" was "too simple" when the 
password policy has 0 required classes. 

Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thild...@redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred

ps: funny exchange with user:
Jul 12 14:12:33  i feel like im being punked
Jul 12 14:12:40  it is based on a dictionary word
Jul 12 14:12:43  it is too short
Jul 12 14:12:49  is does not have enough unique letters
Jul 12 14:12:51  etc

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users