+++ This bug was initially created as a clone of Bug #849072 +++ pam_pwquality has a new option local_users_only. We should use it by default when setting up pam_pwquality from authconfig. See: https://bugzilla.redhat.com/show_bug.cgi?id=848429 Attached patch implements this. --- Additional comment from Fedora Update System on 2012-09-25 16:30:22 EDT --- authconfig-6.2.4-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/authconfig-6.2.4-1.fc18 --- Additional comment from Fedora Update System on 2012-09-26 17:21:25 EDT --- Package authconfig-6.2.4-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing authconfig-6.2.4-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14836/authconfig-6.2.4-1.fc18 then log in and leave karma (feedback).
We found out, that authconfig in Fedora 19 does not set local_users_only option in Fedora 19 which makes pam_pwquality to check password quality also for FreeIPA users: # grep authconfig /var/log/ipaclient-install.log 2013-09-27T08:30:15Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd [root@vm-119 ~]# grep -A 4 authconfig /var/log/ipaclient-install.log 2013-09-27T08:30:15Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd 2013-09-27T08:30:15Z DEBUG Process finished, return code=0 2013-09-27T08:30:15Z DEBUG stdout= 2013-09-27T08:30:15Z DEBUG stderr= 2013-09-27T08:30:15Z INFO SSSD enabled # grep pam_pwquality /etc/pam.d/* /etc/pam.d/password-auth:password requisite pam_pwquality.so try_first_pass retry=3 type= /etc/pam.d/password-auth-ac:password requisite pam_pwquality.so try_first_pass retry=3 type= /etc/pam.d/password-auth.rpmnew:password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= /etc/pam.d/system-auth:password requisite pam_pwquality.so try_first_pass retry=3 type= /etc/pam.d/system-auth-ac:password requisite pam_pwquality.so try_first_pass retry=3 type= /etc/pam.d/system-auth.rpmnew:password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= No local_users_only flag is found. Effect: # su - tuser su: warning: cannot change directory to /home/tuser: No such file or directory -sh-4.2$ grep tuser /etc/passwd; echo $? 1 -sh-4.2$ passwd Changing password for user tuser. Current Password: New password: BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word New password:
The problem is that the authconfig will add the option only in case it adds the pam_pwquality.so to the configuration for the first time. Once it is there it keeps the options as are present in the configuration. Workaround - remove pam_pwquality line from /etc/pam.d/system-auth and issue 'authconfig --updateall'. I've modified the default configuration as present in the pam package but that will help only new installs from scratch.
Thanks, making the change available at least for new installation is welcome.
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.