Bug 973203

Summary:	Initial user password is disregarded in FreeIPA password policy check
Product:	Red Hat Enterprise Linux 7	Reporter:	Dmitri Pal <dpal>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED WONTFIX	QA Contact:	Namita Soman <nsoman>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	7.0	CC:	jgalipea, mkosek, todd.dsm
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	1024959 (view as bug list)		Environment:
Last Closed:	2016-01-29 13:11:10 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1024959

Description Dmitri Pal 2013-06-11 13:04:05 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3694

test password policy through pam stack, like add "sudo -u IPA_USER" before ipa command, the history size is shirked by 1.

let history = 3, 
when do "sudo -u IPA_user ipa passwd", the actual history size = 2, please find out from the following test

{{{
## modify password policy ##
[root@banana (RH6.4-i386) ~] ipa pwpolicy-mod --minlife=0 --history=3 
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 0
  History size: 3
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600 

## clean start ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_297400005) 

## starting point: password "redhat000" works ##
[root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 kinit
Password for testuser30218.COM: 
[root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 klist
Ticket cache: FILE:/tmp/krb5cc_297400005
Default principal: testuser30218.COM

Valid starting     Expires            Service principal
06/05/13 13:15:52  06/06/13 13:15:52  krbtgt/YZHANG.REDHAT.COM.COM

## change password from "redhat000" to "redhat001" ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser30218.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat001 | sudo -u testuser30218 kinit
Password for testuser30218.COM: 
[root@banana (RH6.4-i386) ~] echo redhat001 | sudo -u testuser30218 klist
Ticket cache: FILE:/tmp/krb5cc_297400005
Default principal: testuser30218.COM

Valid starting     Expires            Service principal
06/05/13 13:16:32  06/06/13 13:16:32  krbtgt/YZHANG.REDHAT.COM.COM

## change password from "redhat001" to "redhat002" -- up till this point, user password history
## pool is: "redhat002" (current), "redhat001" and "redhat000" ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser30218.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo "at this point, ipa user testuser30218 has password history of: redhat000, redhat001, redhat002, since history size=3, it means this user can not use these 3 passwords"
at this point, ipa user testuser30218 has password history of: redhat000, redhat001, redhat002, since history size=3, it means this user can not use these 3 passwords
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] echo "test show current password redhat002 is valid"
test show current password redhat002 is valid
[root@banana (RH6.4-i386) ~] echo redhat002 | sudo -u testuser30218 kinit
Password for testuser30218.COM: 

## change password from "redhat002" to "redhat002" failed as expected ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted

## change password from "redhat002" to "redhat001" failed as expected ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password:  
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted

#############################################################################
## change password from "redhat002" to "redhat000" success is NOT expected ##
#############################################################################
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser30218.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 kinit
Password for testuser30218.COM: 
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 klist
Ticket cache: FILE:/tmp/krb5cc_297400005
Default principal: testuser30218.COM

Valid starting     Expires            Service principal
06/05/13 13:20:57  06/06/13 13:20:57  krbtgt/YZHANG.REDHAT.COM.COM

}}}

for comparison, if we do not use "sudo -u" to execute ipa passwd command, then it works fine, as below test:
{{{
[root@banana (RH6.4-i386) ~] kinit testuser10091
Password for testuser10091.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@banana (RH6.4-i386) ~] echo redhat000 | kinit testuser10091
Password for testuser10091.COM: 
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser10091.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat001 | kinit testuser10091
Password for testuser10091.COM: 
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser10091.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat002 | kinit testuser10091
Password for testuser10091.COM: 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat002"
now , change redhat002 -> redhat002
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat001"
now , change redhat002 -> redhat001
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted
[root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat000"
now , change redhat002 -> redhat000
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted

}}}

Comment 3 Martin Kosek 2016-01-29 13:11:10 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.