Bug 1340463
Summary: | [RFE] Implement pam_pwquality featureset in IPA password policies | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Luc de Louw <ldelouw> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.0 | CC: | abokovoy, afarley, alsharma, apeddire, asakure, awyatt, brault, bscalio, bugzilla_rhn, cobrown, david.jones74, dpal, fhanzelk, gparente, hkario, hkhot, ipa-maint, jlyle, Kevin.Johnson, ldelouw, mkosek, mpolovka, mreynolds, ndehadra, nkinder, pasik, pcech, pvoborni, rcritten, ssidhaye, tscherf, tumeya, twoerner, vmishra |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | https://pagure.io/freeipa/issue/5948 | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.9.0-0.1.rc1 | Doc Type: | Enhancement |
Doc Text: |
.IdM now supports new password policy options
With this update, Identity Management (IdM) supports additional `libpwquality` library options:
`--maxrepeat`::
Specifies the maximum number of the same character in sequence.
`--maxsequence`::
Specifies the maximum length of monotonic character sequences (*abcd*).
`--dictcheck`::
Checks if the password is a dictionary word.
`--usercheck`::
Checks if the password contains the username.
Use the `ipa pwpolicy-mod` command to apply these options. For example, to apply the user name check to all new passwords suggested by the users in the managers group:
----
*$ ipa pwpolicy-mod --usercheck=True managers*
----
If any of the new password policy options are set, then the minimum length of passwords is 6 characters regardless of the value of the `--minlength` option. The new password policy settings are applied only to new passwords.
In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator will not be applied. To ensure consistent behavior, upgrade or update all servers to RHEL 8.4 and later.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 15:47:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1563291, 1575530, 1894575 |
Description
Luc de Louw
2016-05-27 13:12:29 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5948 Need info to update customer. As per the recent work-flow we should not send any template response on the case without contacting Engineering team for exact status and update. Can you let me know any recent update on this bugzilla ? If this feature is a blocker for IdM deployment, there is a workaround that could be used:
1) Make sure that users cannot update their passwords in a self-service (affects LDAP, Kerberos, FreeIPA Web UI interface)
There is an ACI that enables that:
# ipa selfservice-show 'Self can write own password'
Self-service name: Self can write own password
Permissions: write
Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword
# ipa selfservice-show 'Self can write own password' --all --raw
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0;acl "selfservice:Self can write own password";allow (write) userdn = "ldap:///self";)
It would need to be deleted.
2) Prepare a new web service that enforces the required password policy. Luc de Low used this POC using cracklib in Python:
>>> cracklib.VeryFascistCheck('Password123!')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/cracklib.py", line 209, in VeryFascistCheck
FascistCheck(new)
ValueError: it is based on a dictionary word
3) Use an existing 'System: Change User password' permission and enable it for the service, to let it change passwords for all users:
# ipa permission-show 'System: Change User password'
Permission name: System: Change User password
Granted rights: write
Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, sambantpassword,
userpassword
Default attributes: userpassword, krbprincipalkey, sambantpassword, passwordhistory,
sambalmpassword
Bind rule type: permission
Subtree: cn=users,cn=accounts,dc=rhel73
Extra target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=rhel73))
Type: user
Permission flags: V2, MANAGED, SYSTEM
Granted to Privilege: Modify Users and Reset passwords, PassSync Service, User
Administrators
Indirect Member of roles: User Administrator, helpdesk
Hello, As we are working on password complexity, so may we also consider checking it against below attributes... 1. No telephone number 2. No names/account names, 3. No birth dates. or something like this Thanks Vinay Hi, The customer asked the following: CBOE Have a requirement for significantly better password management than that provided with FreeIPA. There is also https://pagure.io/389-ds-base/issue/49865, which is more in line with what we would require, however, I can see no movement on this ticket. We have written a kerberos pwqual plugin that will do this for us, we want to understand the issues if we were to include this within the IPA deployment. And they supplied a link for the GitHUB creation: https://github.com/CboeSecurity/password_pwncheck Can someone look at this and relay any concerns? Would this be supported? Corey Brown Hi Dmitri, Thanks for that information. Corey Brown Hello Engineering team, We have below update from CSM: [case# 02039711] ++++++++++++ Red Hat Technical Support team - We recently visited our customer Nokia OneNDS on August 28th 2019. This case was highlighted as an example of several open support cases that are now open for a very long period. Please check with Red Hat Engineering when can we give a proper response to the customer for the case. I would respectfully request you to try to provide such a response next week (Sep 23rd --->) Colum Gaynor - Senior Customer Success Manager - EMEA telco + Nokia Account ++++++++++++ Can some one assist? ~Hemant Fixed upstream master: https://pagure.io/freeipa/c/41021c278ae572ff5b1b3dea828a7dd93fe1ffff https://pagure.io/freeipa/c/6b452e54045bb957e6f787209b4498eefc5df779 https://pagure.io/freeipa/c/c03b4862b84d52ddc91c5a3fb885b0ebf753d8f2 https://pagure.io/freeipa/c/3fc2eda4e15e9592132062036d70acad3bab401c https://pagure.io/freeipa/c/c4cca53e88e78bfe512ebe59898ede0f94ec24ff https://pagure.io/freeipa/c/46d0096218488a961125b6d97a9210b68e5434e5 https://pagure.io/freeipa/c/6da070e655c5d084a825607ed3be604c809b12f0 https://pagure.io/freeipa/c/be2efc12d37018794200fee874f27d83e0442ea4 https://pagure.io/freeipa/c/fe44835970eca197543eb3c908c51a240204d846 https://pagure.io/freeipa/c/68aa7c05542422aca05bec4967133be09a32496e https://pagure.io/freeipa/c/f602da4b28fcf8822225b80df241eed6b624bf8e https://pagure.io/freeipa/c/5155280bb4a92eb3dfdee5ca3f3a332f0159d568 Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/04c34dcb33fa2e1ed6103250257c00e03ad93a22 https://pagure.io/freeipa/c/e8232dd0846963b1af7dc96ddbc99c75ef8333d5 https://pagure.io/freeipa/c/4dcb8d98e100d1fad89600b312b301e87d79f704 https://pagure.io/freeipa/c/734afe3896896a5633a926a4af08a58bceb966fd https://pagure.io/freeipa/c/43cdcad24082bdb8356c44de78bfa69162e0ca6a https://pagure.io/freeipa/c/cba86e814d44169b0275f908a389b67ddc462ce7 https://pagure.io/freeipa/c/d6a8fc290aa93fc5d53025f4400a9736366175eb https://pagure.io/freeipa/c/676979eb510f71639ae0ccb16a44b75e3c084245 https://pagure.io/freeipa/c/9627ac4496cd3631250ed21e20157d41d27d6052 https://pagure.io/freeipa/c/60768b7344fcd0ad991ed1dc78c7a8f9784dc031 https://pagure.io/freeipa/c/48801cba3ffb76ba01fa908b13a8ff400423793f *** Bug 1442413 has been marked as a duplicate of this bug. *** Add new objectclass to existing policies so they are visible. Fixed upstream master: https://pagure.io/freeipa/c/b60d2d975d79856b1c149ee2136aa813342d39ed https://pagure.io/freeipa/c/f86250a9a592f2549bc1446c8e3493b256618107 https://pagure.io/freeipa/c/69b42f0c80f392b20526b5ff8155fc1aa633dd7d Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/c08136f4baa5d4c419897e457dd3f9e52e1841e2 https://pagure.io/freeipa/c/dccaabbc6ae9573125b2d1af615c4f496521b231 https://pagure.io/freeipa/c/5e611bad78d798ec3484b57cb6d676d8c167aee9 fix client-only build. Fixed upstream master: https://pagure.io/freeipa/c/26b9a697844c3bb66bdf83dad3a9738b3cb65361 Verified using package ipa-server-4.9.0-0.1.rc1.module+el8.4.0+8830+62cd648b.x86_64 run on RHEL8.4 test_integration/test_pwpolicy.py::TestPWPolicy::test_maxrepeat PASSED [ 14%] test_integration/test_pwpolicy.py::TestPWPolicy::test_maxsequence PASSED [ 28%] test_integration/test_pwpolicy.py::TestPWPolicy::test_usercheck PASSED [ 42%] test_integration/test_pwpolicy.py::TestPWPolicy::test_dictcheck PASSED [ 57%] test_integration/test_pwpolicy.py::TestPWPolicy::test_minclasses PASSED [ 71%] test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_mod PASSED [ 85%] test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_add PASSED [100%] Full log is in attachment of this BZ. Build used for verification: ipa-client-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 ipa-client-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch ipa-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch ipa-selinux-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 ipa-server-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch ipa-server-dns-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch ipa-server-trust-ad-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 test_integration/test_pwpolicy.py::TestPWPolicy::test_maxrepeat PASSED [ 14%] test_integration/test_pwpolicy.py::TestPWPolicy::test_maxsequence PASSED [ 28%] test_integration/test_pwpolicy.py::TestPWPolicy::test_usercheck PASSED [ 42%] test_integration/test_pwpolicy.py::TestPWPolicy::test_dictcheck PASSED [ 57%] test_integration/test_pwpolicy.py::TestPWPolicy::test_minclasses PASSED [ 71%] test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_mod PASSED [ 85%] test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_add PASSED [100%] Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |