[Freeipa-users] Force IPA to accept password?
Martin Kosek
mkosek at redhat.com
Fri Sep 27 09:16:47 UTC 2013
On 09/27/2013 11:03 AM, Innes, Duncan wrote:
>> From: Martin Kosek [mailto:mkosek at redhat.com]
>> Sent: 27 September 2013 09:28
>> To: Innes, Duncan
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Force IPA to accept password?
>>
>> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
>>>
>>>
>>>> From: freeipa-users-bounces at redhat.com
>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Sumit Bose
>>>> Sent: 26 September 2013 17:36
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Force IPA to accept password?
>> ...
>>>> Which command did you use to change the password? 'passwd' or 'ipa
>>>> passwd'?
>>>>
>>>> If you use 'passwd' the PAM stack on the client for the passwd
>>>> command comes into play which typically has some modules like
>>>> pam_pwquality.so listed which do checks including dictionary
> checks.
>>>>
>>>> If you use 'ipa passwd' the password should be only validated
>>>> against the server-side password policy Martin mentioned above.
>>>
>>> Sumit, yes - I used 'passwd'. I'll look into using 'ipa passwd' in
>>> about
>>> 3 months time :-)
>>
>> Eh, ok :-) BTW, you could also standard kpasswd, it should
>> also avoid modules like pam_pwquality.so and only use the
>> server policy.
>>
>> Martin
>>
>
> OK - this is opening my eyes somewhat. I know about the password policy
> section of IPA, but there doesn't appear to be anywhere to control the
> quality of the password. Is this done by PAM on the server? If it's
> not,
> how do I enforce things like ensuring at least 1 upper case, 1 lower
> case,
> 1 number and 1 special character? I don't see that in the docs.
This should help:
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/user-pwdpolicy.html
You can control character classes - if you set that for example to 3, password
need to have at least:
- one number, one lower-case char, one upper-case char
OR
- one number, one special char, one lower case char.
You can also set minimal length. These 2 options should provide the settings
you requested.
Note that the policy is not related to PAM, it is required by an LDAP server
plugin on FreeIPA server - so that it affect all possible password changes -
like "ldapasswd", "passwd", "kpasswd" and others.
>
> Would like to be able to ensure that the minimum password policy is
> centralised
> rather than perhaps having an erroneous strict policy on a few machines.
+1. You can set that centrally on server, you can even set different policies
for different groups. It can just happen that pam_pwquality.so may interfere
(as we found out) and add it's own password quality requirements on top of
FreeIPA centralized ones.
Martin
More information about the Freeipa-users
mailing list