Bug 1378461

Summary: IPA Allows Password Reuse with History value defined when admin resets the password.
Product: Red Hat Enterprise Linux 7 Reporter: Arya Rajendran <arajendr>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Varun Mylaraiah <mvarun>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: apetrova, arajendr, kresss, mbabinsk, mvarun, pvoborni, rcritten, tbordaz
Target Milestone: rcFlags: arajendr: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.5.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1509918 (view as bug list) Environment:
Last Closed: 2017-08-01 09:42:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1509918    

Description Arya Rajendran 2016-09-22 13:12:53 UTC 
Description of problem:

IPA Allows Old Password Reuse with History value defined when admin resets the password.


Version-Release number of selected component (if applicable):
ipa-server-4.1.0-18.el7_1.4.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Modify ipa pwpolicy
# ipa pwpolicy-mod --history=10
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 10
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600


2. Reset user password as admin.

# ipa user-mod --password tuser


3. Try to set a previously used password

# su - user
$ passwd

Actual results:

Allows to Reuse old password

Expected results:

Password change failed. Server message: New password was used previously. Please choose a different password.

Additional info:
Comment 1 Petr Vobornik 2016-09-22 13:38:33 UTC 
IMO this is expected. Password reset by admin ignores password policy.
Comment 5 thierry bordaz 2016-10-10 14:52:19 UTC 
Testing on master branch, the password updates conform what is documented:

Creating a user, enable the global password policy with history (6).
Directory manager assign password: value0
Being bound as the user, assign: value1
..
Being bound as the user, assign: value6

Directory manager assign password: value7
Being bound as the user(with value7 password), update the password to set: value4
it fails:
Constraint violation (19)
	additional info: password in history

would it be possible to get more detailed reproducible steps (especially with the effective values set for the password).
Also before updating the password, could you provide 
ldapsearch -D "cn=directory manager" -w xxxx -b "<user_dn" nscpentrywsi

Then the same command after the update of the password.
Comment 6 Petr Vobornik 2016-10-10 15:10:57 UTC 
Thierry, the difference can be that you used LDAP-only way.

I can reproduce with the steps from comment 3:

[pvoborni@test ~]$ ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
----------------------------------------------------------------------
Changed password for "fbar"
----------------------------------------------------------------------
[pvoborni@test ~]$ ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted
[pvoborni@test ~]$ kdestroy -A
[pvoborni@test ~]$ kinit admin
Password for admin: 
[pvoborni@test ~]$ ipa passwd fbar
New Password: 
Enter New Password again to verify: 
----------------------------------------------------------------------
Changed password for "fbar"
----------------------------------------------------------------------
[pvoborni@test ~]$ kdestroy -A
[pvoborni@test ~]$ kinit admin
Password for admin: 
kinit: Password read interrupted while getting initial credentials
[pvoborni@test ~]$ kinit fbar
Password for fbar: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

in short:
value1 - set
value1 - try to reuse - fail
value2 - set by admin - success
value1 - reused - success
Comment 8 Petr Vobornik 2016-10-14 12:12:25 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6402
Comment 10 Martin Babinsky 2016-11-24 16:02:57 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c223130d5f429278202aaf8bf87af53911a3b448
Comment 12 Varun Mylaraiah 2017-05-29 18:13:46 UTC 
Verified 
ipa-server-4.5.0-13.el7.x86_64

# ipa pwpolicy-show 
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 10
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

# ipa passwd user1
New Password: 
Enter New Password again to verify: 

# kdestroy -A

# kinit user1
Password for user1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Password change rejected: New password was used previously. Please choose a different password..  Please try again.

Enter new password:
Comment 13 errata-xmlrpc 2017-08-01 09:42:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304