Bug 1817043

Summary:	IdM password policy misleading error message
Product:	Red Hat Enterprise Linux 7	Reporter:	aheverle
Component:	ipa	Assignee:	Florence Blanc-Renaud <frenaud>
Status:	CLOSED NOTABUG	QA Contact:	ipa-qe <ipa-qe>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.7	CC:	rcritten, tscherf
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-03-25 19:17:14 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description aheverle 2020-03-25 13:20:56 UTC

Description of problem:
When using 3 repeated characters a very misleading error message is shown.
Password policy:
Character lasses: 4
Password length: 9
Password used: ,Sommmer1
Error Message Web UI: Password is too simple
Error Messages CLI: Password does not contain enough character classes

Version-Release number of selected component (if applicable):
n/a

How reproducible:
everytime

Testing with the password policy below:

#####
[root@rhel7 ~]# ipa pwpolicy-find testpolicy
Group: testpolicy
Max lifetime (days): 90
Min lifetime (hours): 24
History size: 1
Character classes: 4
Min length: 9
Priority: 1
Max failures: 6
Failure reset interval: 900
Lockout duration: 900
----------------------------
Number of entries returned 1
----------------------------
#####

I assigned the user "steve" to this password policy and assigned the password "test".

Then attempting to use the password ,Sommmer1 failed with "Password does not contain enough character classes"

When I user ,Sommer1! (only 2 "m" but added a "!" for 9th character), it was successful.

#####
[root@rhel7 ~]# ssh steve@localhost
Password:
Password expired. Change your password now.
Current Password: test
New password: ,Sommmer1
Retype new password: ,Sommmer1
Password change failed. Server message: Password does not contain enough character classes

Password not changed.

Password:
Password expired. Change your password now.
Current Password: test
New password: ,Sommer1!
Retype new password: ,Sommer1!
Last failed login: Wed Mar 18 22:25:06 EDT 2020 from localhost on ssh:notty
There were 4 failed login attempts since the last successful login.
Could not chdir to home directory /home/steve: No such file or directory
-sh-4.2$
#####

Comment 2 Florence Blanc-Renaud 2020-03-25 13:49:23 UTC

Hi,

the RHEL 7 documentation "Linux Domain Identity, Authentication, and Policy Guide" has the following section related to password policies: "28.2. How Password Policies Work in IdM" [1] and defines the following:
-----8<-----

 Using a character three or more times in a row decreases the character class by one. For example:

    Secret1 has 3 character classes: uppercase, lowercase, digits
    Secret111 has 2 character classes: uppercase, lowercase, digits, and a -1 penalty for using 1 repeatedly

----->8-----

IMO the behavior is consistent with the doc.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/pwd-policies-how

Comment 3 aheverle 2020-03-25 13:51:51 UTC

(In reply to Florence Blanc-Renaud from comment #2)
> Hi,
> 
> the RHEL 7 documentation "Linux Domain Identity, Authentication, and Policy
> Guide" has the following section related to password policies: "28.2. How
> Password Policies Work in IdM" [1] and defines the following:
> -----8<-----
> 
>  Using a character three or more times in a row decreases the character
> class by one. For example:
> 
>     Secret1 has 3 character classes: uppercase, lowercase, digits
>     Secret111 has 2 character classes: uppercase, lowercase, digits, and a
> -1 penalty for using 1 repeatedly
> 
> ----->8-----
> 
> IMO the behavior is consistent with the doc.
> 
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/linux_domain_identity_authentication_and_policy_guide/pwd-policies-how

Can the message for failure reflect/detect the 3 consecutive characters?

Comment 4 Florence Blanc-Renaud 2020-03-25 18:58:39 UTC

Hi,

I don't think it's possible to handle differently the error if it's caused by 3 repeating characters, as the possible return codes are defined by MIT Kerberos API:
KADM5_PASS_Q_TOOSHORT: password should be longer
KADM5_PASS_Q_CLASS:    password must have more character classes
KADM5_PASS_Q_DICT:     password contains dictionary words
KADM5_PASS_Q_GENERIC:  unspecified quality failure

Comment 5 aheverle 2020-03-25 19:17:14 UTC

(In reply to Florence Blanc-Renaud from comment #4)
> Hi,
> 
> I don't think it's possible to handle differently the error if it's caused
> by 3 repeating characters, as the possible return codes are defined by MIT
> Kerberos API:
> KADM5_PASS_Q_TOOSHORT: password should be longer
> KADM5_PASS_Q_CLASS:    password must have more character classes
> KADM5_PASS_Q_DICT:     password contains dictionary words
> KADM5_PASS_Q_GENERIC:  unspecified quality failure

Thanks!  Should be good to close.