[Freeipa-users] Password requirements too stringent
Tim Hildred
thildred at redhat.com
Thu Sep 20 03:52:48 UTC 2012
Hey, sorry, I'm a little confused about all the pieces.
I want to let my users reset expired password using ssh. I would really like them to be able to use the same password every time, and not worry if that password is "icecream".
>From what I can tell, sshd_config turns the authentication over to PAM, which uses sssd(?) to get information from IPA.
Is it true this line in /etc/pam.d/password-auth was enforcing the stringent requirements, and not IPA?
password requisite pam_cracklib.so
I've noticed that if I comment out that line, authentication fails because none of my IPA users are in /etc/passwd. The configuration also gets reset to the default when I restart sssd.
Can anyone give me a suggestion that will:
- allow my users to use any password they want, with the least possible restrictions,
- reset expired passwords with SSH?
Here is a selection from krb5kdc.log (followed by the corresponding section of /var/log/secure):
Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired
Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:22:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111377, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): preauth (timestamp) verify failure: Decrypt integrity check failed
Sep 20 13:23:03 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: PREAUTH_FAILED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Decrypt integrity check failed
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:23:55 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111435, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:23:57 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111437, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:24:14 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111454, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: host/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, etypes {rep=18 tkt=18 ses=18}, host/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, etypes {rep=18 tkt=18 ses=18}, host/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:25:26 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111526, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111528, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:25:28 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111528, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111529, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:29 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111529, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: CLIENT KEY EXPIRED: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Password has expired
Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:25:58 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111558, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, timbo at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: NEEDED_PREAUTH: kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM, Additional pre-authentication required
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): AS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for krbtgt/ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
Sep 20 13:26:01 dns1.ecs-cloud.lab.eng.bne.redhat.com krb5kdc[1402](info): TGS_REQ (4 etypes {18 17 16 23}) 10.64.15.160: ISSUE: authtime 1348111561, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM for ldap/dns1.ecs-cloud.lab.eng.bne.redhat.com at ECS-CLOUD.LAB.ENG.BNE.REDHAT.COM
And here is the corresponding section in /var/log/secure:
Sep 20 13:22:57 dns1 sshd[12308]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): system info: [Password has expired]
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required)
Sep 20 13:22:57 dns1 sshd[12308]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
Sep 20 13:22:57 dns1 sshd[12308]: Accepted password for timbo from 10.64.0.171 port 55407 ssh2
Sep 20 13:22:57 dns1 sshd[12308]: pam_unix(sshd:session): session opened for user timbo by (uid=0)
Sep 20 13:22:57 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd
Sep 20 13:23:03 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Decrypt integrity check failed]
Sep 20 13:23:03 dns1 passwd: pam_sss(passwd:chauthtok): Authentication failed for user timbo: 4 (System error)
Sep 20 13:23:05 dns1 sshd[12311]: Received disconnect from 10.64.0.171: 11: disconnected by user
Sep 20 13:23:05 dns1 sshd[12308]: pam_unix(sshd:session): session closed for user timbo
Sep 20 13:23:55 dns1 sshd[12314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): system info: [Password has expired]
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required)
Sep 20 13:23:55 dns1 sshd[12314]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
Sep 20 13:23:55 dns1 sshd[12314]: Accepted password for timbo from 10.64.0.171 port 55413 ssh2
Sep 20 13:23:55 dns1 sshd[12314]: pam_unix(sshd:session): session opened for user timbo by (uid=0)
Sep 20 13:23:55 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd
Sep 20 13:24:14 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd
Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed
Sep 20 13:24:14 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:24:17 dns1 sshd[12317]: Received disconnect from 10.64.0.171: 11: disconnected by user
Sep 20 13:24:17 dns1 sshd[12314]: pam_unix(sshd:session): session closed for user timbo
Sep 20 13:25:02 dns1 sshd[12279]: Received signal 15; terminating.
Sep 20 13:25:02 dns1 sshd[12360]: Server listening on 0.0.0.0 port 22.
Sep 20 13:25:02 dns1 sshd[12360]: Server listening on :: port 22.
Sep 20 13:25:25 dns1 sshd[12362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): system info: [Password has expired]
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required)
Sep 20 13:25:26 dns1 sshd[12362]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
Sep 20 13:25:26 dns1 sshd[12362]: Accepted password for timbo from 10.64.0.171 port 55426 ssh2
Sep 20 13:25:26 dns1 sshd[12362]: pam_unix(sshd:session): session opened for user timbo by (uid=0)
Sep 20 13:25:26 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd
Sep 20 13:25:28 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed
Sep 20 13:25:29 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:25:31 dns1 sshd[12366]: Received disconnect from 10.64.0.171: 11: disconnected by user
Sep 20 13:25:31 dns1 sshd[12362]: pam_unix(sshd:session): session closed for user timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): system info: [Password has expired]
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thildred.bne.redhat.com user=timbo
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:auth): received for user timbo: 12 (Authentication token is no longer valid; new one required)
Sep 20 13:25:58 dns1 sshd[12371]: pam_sss(sshd:account): User info message: Password expired. Change your password now.
Sep 20 13:25:58 dns1 sshd[12371]: Accepted password for timbo from 10.64.0.171 port 55429 ssh2
Sep 20 13:25:58 dns1 sshd[12371]: pam_unix(sshd:session): session opened for user timbo by (uid=0)
Sep 20 13:25:58 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd
Sep 20 13:26:01 dns1 passwd: pam_unix(passwd:chauthtok): user "timbo" does not exist in /etc/passwd
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)]
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Password change failed
Sep 20 13:26:01 dns1 passwd: pam_sss(passwd:chauthtok): Password change failed for user timbo: 20 (Authentication token manipulation error)
Sep 20 13:26:04 dns1 sshd[12374]: Received disconnect from 10.64.0.171: 11: disconnected by user
Sep 20 13:26:04 dns1 sshd[12371]: pam_unix(sshd:session): session closed for user timbo
Any ideas?
Tim Hildred, RHCE
Content Author II - Engineering Content Services, Red Hat, Inc.
Brisbane, Australia
Email: thildred at redhat.com
Internal: 8588287
Mobile: +61 4 666 25242
IRC: thildred
----- Original Message -----
> From: "Petr Spacek" <pspacek at redhat.com>
> To: freeipa-users at redhat.com
> Sent: Wednesday, September 19, 2012 9:56:21 PM
> Subject: Re: [Freeipa-users] Password requirements too stringent
>
> On 09/19/2012 01:32 PM, Dmitri Pal wrote:
> > On 09/19/2012 02:56 AM, Jakub Hrozek wrote:
> >> On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
> >>> So, commenting out:
> >>> password requisite pam_cracklib.so try_first_pass retry=3
> >>> type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
> >>>
> >>> Caused users updating their passwords using ssh to get:
> >>>
> >>> [ykatabam at ykatabam ~]$ ssh
> >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com
> >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> >>> Permission denied, please try again.
> >>> ykatabam at dns1.ecs-cloud.lab.eng.bne.redhat.com's password:
> >>> Password expired. Change your password now.
> >>> Last login: Fri Sep 14 10:20:49 2012 from
> >>> vpn1-48-53.bne.redhat.com
> >>> WARNING: Your password has expired.
> >>> You must change your password now and login again!
> >>> Changing password for user ykatabam.
> >>> Current Password:
> >>> Password change failed. Server message: Password change failed
> >>> passwd: Authentication token manipulation error
> >>> Connection to dns1.ecs-cloud.lab.eng.bne.redhat.com closed.
> >>>
> >>> Is that to say that you need at least 1 password requisite? That
> >>> instead of commenting out the password requisite
> >>> pam_cracklib.so, I should have replaced it with something?
> >> What did /var/log/secure have to say?
> >>
> >> The message sounds to me like it's coming from the server..
> > Please look at the krb5kdc.log on the server.
> > This is the server side message.
> > Most likely it did not like the password because it did not meet
> > the policy.
> > I wonder whether there is a bug in case password policy has 0 for
> > the
> > required character classes.
> > Trying different passwords and changing the policy while watching
> > the
> > log will give you more answers.
>
> BTW if required character classes == 1 there is nothing to enforce,
> because
> each (non-empty) password has at least one character class.
>
> You can check if there is some difference between 0 and 1.
>
> Petr^2 Spacek
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list