[Freeipa-users] Password requirements too stringent

Dmitri Pal dpal at redhat.com
Wed Sep 19 11:32:59 UTC 2012 

On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
>> So, commenting out: 
>> password    requisite     pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
>>
>> Caused users updating their passwords using ssh to get:
>>
>> [ykatabam at ykatabam ~]$ ssh ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com
>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Permission denied, please try again.
>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>> Password expired. Change your password now.
>> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
>> WARNING: Your password has expired.
>> You must change your password now and login again!
>> Changing password for user ykatabam.
>> Current Password:
>> Password change failed. Server message: Password change failed
>> passwd: Authentication token manipulation error
>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
>>
>> Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something?
> What did /var/log/secure have to say?
>
> The message sounds to me like it's coming from the server..
Please look at the krb5kdc.log on the server.
This is the server side message.
Most likely it did not like the password because it did not meet the policy.
I wonder whether there is a bug in case password policy has 0 for the
required character classes.
Trying different passwords and changing the policy while watching the
log will give you more answers.

>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list