[Freeipa-users] Password requirements too stringent

[Petr Spacek]

On 09/19/2012 01:32 PM, Dmitri Pal wrote:
> On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
>> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
>>> So, commenting out:
>>> password    requisite     pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
>>>
>>> Caused users updating their passwords using ssh to get:
>>>
>>> [ykatabam at ykatabam ~]$ ssh ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com
>>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>>> Permission denied, please try again.
>>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
>>> Password expired. Change your password now.
>>> Last login: Fri Sep 14 10:20:49 2012 from vpn1-48-53.bne.redhat.com
>>> WARNING: Your password has expired.
>>> You must change your password now and login again!
>>> Changing password for user ykatabam.
>>> Current Password:
>>> Password change failed. Server message: Password change failed
>>> passwd: Authentication token manipulation error
>>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
>>>
>>> Is that to say that you need at least 1 password requisite? That instead of commenting out the password requisite pam_cracklib.so, I should have replaced it with something?
>> What did /var/log/secure have to say?
>>
>> The message sounds to me like it's coming from the server..
> Please look at the krb5kdc.log on the server.
> This is the server side message.
> Most likely it did not like the password because it did not meet the policy.
> I wonder whether there is a bug in case password policy has 0 for the
> required character classes.
> Trying different passwords and changing the policy while watching the
> log will give you more answers.

BTW if required character classes == 1 there is nothing to enforce, because 
each (non-empty) password has at least one character class.

You can check if there is some difference between 0 and 1.

Petr^2 Spacek