[Freeipa-users] Force IPA to accept password?

Fri Sep 27 09:33:03 UTC 2013

> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com] 
> Sent: 27 September 2013 10:17
> To: Innes, Duncan
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Force IPA to accept password?
> 
> On 09/27/2013 11:03 AM, Innes, Duncan wrote:
> >> From: Martin Kosek [mailto:mkosek at redhat.com]
> >> Sent: 27 September 2013 09:28
> >> To: Innes, Duncan
> >> Cc: freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] Force IPA to accept password?
> >>
> >> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
> >>>
> >>>
> >>>> From: freeipa-users-bounces at redhat.com 
> >>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Sumit Bose
> >>>> Sent: 26 September 2013 17:36
> >>>> To: freeipa-users at redhat.com
> >>>> Subject: Re: [Freeipa-users] Force IPA to accept password?
> >> ...
> >>>> Which command did you use to change the password? 'passwd' or
'ipa 
> >>>> passwd'?
> >>>>
> >>>> If you use 'passwd' the PAM stack on the client for the passwd 
> >>>> command comes into play which typically has some modules like 
> >>>> pam_pwquality.so listed which do checks including dictionary
checks.
> >>>>
> >>>> If you use 'ipa passwd' the password should be only validated 
> >>>> against the server-side password policy Martin mentioned above.
> >>>
> >>> Sumit, yes - I used 'passwd'.  I'll look into using 'ipa passwd'
in 
> >>> about 3 months time :-)
> >>
> >> Eh, ok :-) BTW, you could also standard kpasswd, it should also
avoid 
> >> modules like pam_pwquality.so and only use the server policy.
> >>
> >> Martin
> >>
> >
> > OK - this is opening my eyes somewhat.  I know about the password 
> > policy section of IPA, but there doesn't appear to be anywhere to 
> > control the quality of the password.  Is this done by PAM on the 
> > server?  If it's not, how do I enforce things like ensuring at least
> > 1 upper case, 1 lower case, 1 number and 1 special character?  I
> > don't see that in the docs.
> 
> This should help:
>
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/user-pw
dpolicy.html
> 
> You can control character classes - if you set that for 
> example to 3, password need to have at least:
> - one number, one lower-case char, one upper-case char OR
> - one number, one special char, one lower case char.
> 
> You can also set minimal length. These 2 options should 
> provide the settings you requested.
> 
> Note that the policy is not related to PAM, it is required by 
> an LDAP server plugin on FreeIPA server - so that it affect 
> all possible password changes - like "ldapasswd", "passwd", 
> "kpasswd" and others.
> 
> >
> > Would like to be able to ensure that the minimum password policy is
> > centralised
> > rather than perhaps having an erroneous strict policy on a 
> few machines.
> 
> +1. You can set that centrally on server, you can even set 
> different policies 
> for different groups. It can just happen that 
> pam_pwquality.so may interfere 
> (as we found out) and add it's own password quality 
> requirements on top of 
> FreeIPA centralized ones.
> 
> Martin
> 

Brilliant.  Thanks Martin. I either hadn't seen minclasses or had
completely overlooked it.  I'll just have to be careful about my local
password policies I guess.

Duncan

This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at virginmoney.com