1246389 – wrong password check if passwordInHistory is decreased.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1246389 - wrong password check if passwordInHistory is decreased.

Summary: wrong password check if passwordInHistory is decreased.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-24 08:09 UTC by German Parente
Modified:	2020-09-13 21:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:	389-ds-base-1.3.4.0-14.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 11:43:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 1559	None	None	None	2020-09-13 21:28:28 UTC
Red Hat Bugzilla	1253406	medium	CLOSED	wrong password check if passwordInHistory is decreased.	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2015:2351	normal	SHIPPED_LIVE	389-ds-base bug fix and enhancement update	2015-11-19 10:28:44 UTC

Internal Links: 1253406

Description German Parente 2015-07-24 08:09:58 UTC

Description of problem:

Let's have passwordInHistory = N and a user with its N passwords in history.
We decrease passwordInHistory to a value smaller than N.

If a user changes its password to the oldest value in its history (of N values), it's forbidden but it should be allowed. 

Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:

 1) configure password history feature with, for instance:

passwordInHistory: 4
passwordHistory: on

2) add a new user

[root@rh6 ~]# ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: uid=user50,ou=people,o=redhat
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: user50
cn: user50
sn: user50
userpassword: user50

3) change password 4 times.

4) verify passwordHistory has the four values:

    ldapsearch -xLLL -p 2389 -h localhost -D "cn=directory manager" -w secret12 -b "uid=user50,ou=people,o=redhat" passwordHistory

dn: uid=user50,ou=people,o=redhat
passwordHistory: 20150724075220Zuser50
passwordHistory: 20150724075328Zuser50_1
passwordHistory: 20150724075341Zuser50_2
passwordHistory: 20150724075352Zuser50_3

5) decrease passwordInHistory to 3.

ldapmodify -p 2389 -h localhost -D "cn=directory manager" -w secret12
dn: cn=config
changetype: modify
replace: passwordInHistory
passwordInHistory: 3

6) change password using the original password:

ldapmodify -p 2389 -h localhost -D "uid=user50,ou=people,o=redhat" -w user50_4
dn: uid=user50,ou=people,o=redhat
changetype: modify
replace: userPassword
userPassword: user50

modifying entry "uid=user50,ou=people,o=redhat"
ldap_modify: Constraint violation (19)

    additional info: password in history


Actual results:

password replaced by a password which should not be in history is not allowed.

Expected results:

It should be allowed.

Additional info:

in function update_pw_history

    if ( i >= pwpolicy->pw_inhistory ) {

        /* replace the oldest password in history */

instead of just replacing the oldest value, we could keep the N newest values (N == passwordInHistory) and replace the oldest in this group. As the same time the new passwordHistory of user entry will keep the right numbers of values.

Workaround: trim the values as cn=directory manager

Comment 11 Simon Pichugin 2015-08-25 15:12:34 UTC

Build tested:
389-ds-base-1.3.4.0-10.el7.x86_64

Pytest results:
[spichugi@lib389-devel  ds(master)]$ sudo ~/run_pytest.sh ~/ds/dirsrvtests/tickets/ticket48228_test.py
Running /home/spichugi/ds/dirsrvtests/tickets/ticket48228_test.py tests
================================================= test session starts =================================================
platform linux2 -- Python 2.7.5 -- py-1.4.27 -- pytest-2.7.0 -- /usr/bin/python
rootdir: /home/spichugi/ds/dirsrvtests/tickets, inifile:
collected 3 items

dirsrvtests/tickets/ticket48228_test.py::test_ticket48228_test_global_policy PASSED
dirsrvtests/tickets/ticket48228_test.py::test_ticket48228_test_subtree_policy PASSED
dirsrvtests/tickets/ticket48228_test.py::test_ticket48228_final PASSED

============================================== 3 passed in 26.35 seconds ==============================================

Marking as verified.

Comment 12 Simon Pichugin 2015-08-25 15:31:09 UTC

Build tested:
389-ds-base-1.3.4.0-13.el7.x86_64

[spichugi@lib389-devel  ds(master)]$ sudo ~/run_pytest.sh ~/ds/dirsrvtests/tickets/ticket48228_test.py
Running /home/spichugi/ds/dirsrvtests/tickets/ticket48228_test.py tests
================================================= test session starts =================================================
platform linux2 -- Python 2.7.5 -- py-1.4.27 -- pytest-2.7.0 -- /usr/bin/python
rootdir: /home/spichugi/ds/dirsrvtests/tickets, inifile:
collected 3 items

dirsrvtests/tickets/ticket48228_test.py::test_ticket48228_test_global_policy PASSED
dirsrvtests/tickets/ticket48228_test.py::test_ticket48228_test_subtree_policy PASSED
dirsrvtests/tickets/ticket48228_test.py::test_ticket48228_final PASSED

============================================== 3 passed in 39.77 seconds ==============================================

Marking as verified.

Comment 13 Noriko Hosoi 2015-08-25 22:20:38 UTC

The fix made in 389-ds-base-1.3.4.0-9.el7 caused a regression.  Reopening...

Sorry, Simon.  When you verify this bug, could run TET/pwpolicy, as well?

Unfortunately, test cases for the account usability are failing since OPENDS is not found on my test machine.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-usability.html

But at least this section in pwdpolicy.sh passes 100%.
# Password History Section
ic9="pwp_51 pwp_52 pwp_53 pwp_54 pwp_55 pwp_56 pwp_57"
ic10="pwp_59 pwp_60 pwp_61 pwp_62 pwp_63 pwp_64"
ic11="pwp_65 pwp_66 pwp_67 pwp_68"

Thanks!!

Comment 15 Simon Pichugin 2015-08-27 08:15:04 UTC

Build tested:
389-ds-base-1.3.4.0-14.el7.x86_64

Upstream test case ticket48228_test.py has the same output as in the Comment 12. 
All PASSED.

Marking as verified.

Comment 17 errata-xmlrpc 2015-11-19 11:43:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2351.html

Note You need to log in before you can comment on or make changes to this bug.