[Freeipa-users] Password requirements too stringent

Tue Sep 18 02:57:49 UTC 2012

On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:

> JR
> 
> I had that line. I commented it out. Thank you.
> 
> Now, what do I have to restart?

I believe it should take effect in real time, but you may need to test to be sure.  If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ && grep pam_cracklib *

If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something.  But I'd try those steps before a reboot!

;)

> Tim Hildred, RHCE
> Content Author II - Engineering Content Services, Red Hat, Inc.
> Brisbane, Australia
> Email: thildred at redhat.com
> Internal: 8588287
> Mobile: +61 4 666 25242
> IRC: thildred
> 
> ----- Original Message -----
>> From: "JR Aquino" <JR.Aquino at citrix.com>
>> To: "Tim Hildred" <thildred at redhat.com>
>> Cc: "freeipa-users" <freeipa-users at redhat.com>
>> Sent: Tuesday, September 18, 2012 12:37:48 PM
>> Subject: Re: [Freeipa-users] Password requirements too stringent
>> 
>> Tim, please check your /etc/pam.d/system-auth with the password
>> block.  If you see password    requisite     pam_cracklib.so, then
>> this is why you are having a problem.
>> 
>> $ man pam_cracklib
>> 
>> It is a local security library for enforcing strong password
>> practices from the unix cli.
>> 
>> ProTip:
>> If you don't need this, you can remove it from pam
>> If you want to work around this, set your password from the IPA webui
>> or via the cli: "ipa passwd username"
>> 
>> Hope this info helps!
>> 
>> "Keeping your head in the cloud"
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> JR Aquino
>> 
>> Senior Information Security Specialist, Technical Operations
>> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
>> GIAC Certified Incident Handler | GIAC WebApplication Penetration
>> Tester
>> JR.Aquino at citrix.com<mailto:JR.Aquino at citrix.com>
>> 
>> 
>> [cid:image002.jpg at 01CD4A37.5451DC00]
>> 
>> Powering mobile workstyles and cloud services
>> 
>> 
>> 
>> 
>> 
>> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:
>> 
>> Hey all;
>> 
>> I'm running IPA internally to control access to our cloud
>> environment.
>> 
>> I must admit, I do not understand the password requirements. I have
>> had them set to the defaults. I read this:
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html
>> 
>> I have the minimum character classes set to 0. When people use SSH to
>> change their passwords, they get "Based on a dictionary word" for
>> passwords that have nothing to do with dictionary words.
>> 
>> I can't find anywhere in the documentation a break down of what makes
>> an unacceptable versus acceptable password.
>> 
>> Can anyone help me figure out what to tell my users? I think people
>> would get a lot less frustrated if they knew why "C679V375" was "too
>> simple" when the password policy has 0 required classes.
>> 
>> Tim Hildred, RHCE
>> Content Author II - Engineering Content Services, Red Hat, Inc.
>> Brisbane, Australia
>> Email: thildred at redhat.com
>> Internal: 8588287
>> Mobile: +61 4 666 25242
>> IRC: thildred
>> 
>> ps: funny exchange with user:
>> Jul 12 14:12:33 <user1> i feel like im being punked
>> Jul 12 14:12:40 <user1> it is based on a dictionary word
>> Jul 12 14:12:43 <user1> it is too short
>> Jul 12 14:12:49 <user1> is does not have enough unique letters
>> Jul 12 14:12:51 <user1> etc
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> 