RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1340463 - [RFE] Implement pam_pwquality featureset in IPA password policies
Summary: [RFE] Implement pam_pwquality featureset in IPA password policies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.0
Assignee: IPA Maintainers
QA Contact: Kaleem
URL: https://pagure.io/freeipa/issue/5948
Whiteboard:
: 1442413 (view as bug list)
Depends On:
Blocks: 1563291 1575530 1894575
TreeView+ depends on / blocked
 
Reported: 2016-05-27 13:12 UTC by Luc de Louw
Modified: 2024-03-25 14:56 UTC (History)
34 users (show)

Fixed In Version: ipa-4.9.0-0.1.rc1
Doc Type: Enhancement
Doc Text:
.IdM now supports new password policy options With this update, Identity Management (IdM) supports additional `libpwquality` library options: `--maxrepeat`:: Specifies the maximum number of the same character in sequence. `--maxsequence`:: Specifies the maximum length of monotonic character sequences (*abcd*). `--dictcheck`:: Checks if the password is a dictionary word. `--usercheck`:: Checks if the password contains the username. Use the `ipa pwpolicy-mod` command to apply these options. For example, to apply the user name check to all new passwords suggested by the users in the managers group: ---- *$ ipa pwpolicy-mod --usercheck=True managers* ---- If any of the new password policy options are set, then the minimum length of passwords is 6 characters regardless of the value of the `--minlength` option. The new password policy settings are applied only to new passwords. In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator will not be applied. To ensure consistent behavior, upgrade or update all servers to RHEL 8.4 and later.
Clone Of:
Environment:
Last Closed: 2021-05-18 15:47:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2853 0 None closed RFE - Add pam_pwquality checking to DS's password policy 2021-02-16 06:41:29 UTC
Red Hat Issue Tracker FREEIPA-7108 0 None None None 2021-10-18 20:28:56 UTC

Description Luc de Louw 2016-05-27 13:12:29 UTC 
Description of problem:
At the moment "Password123!" is a valid password when a user chooses a new password. This needs to be changed. 

It would be great if we can have at least dictionary checks implemented on a quite short term and on the long term the complete featureset of pam_pwquality


Version-Release number of selected component (if applicable):
4.3

How reproducible:
Always

Steps to Reproduce:
1. 
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Petr Vobornik 2016-06-10 12:19:26 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5948
Comment 7 Abhinay Reddy Peddireddy 2016-10-26 05:59:20 UTC 
Need info to update customer. 

As per the recent work-flow we should not send any template response on the case without contacting Engineering team for exact status and update. 

Can you let me know any recent update on this bugzilla ?
Comment 9 Martin Kosek 2017-02-27 15:05:25 UTC 
If this feature is a blocker for IdM deployment, there is a workaround that could be used:

1) Make sure that users cannot update their passwords in a self-service (affects LDAP, Kerberos, FreeIPA Web UI interface)

There is an ACI that enables that:

# ipa selfservice-show 'Self can write own password'
  Self-service name: Self can write own password
  Permissions: write
  Attributes: userpassword, krbprincipalkey, sambalmpassword, sambantpassword

# ipa selfservice-show 'Self can write own password' --all --raw
  aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0;acl "selfservice:Self can write own password";allow (write) userdn = "ldap:///self";)

It would need to be deleted.

2) Prepare a new web service that enforces the required password policy. Luc de Low used this POC using cracklib in Python:

>>> cracklib.VeryFascistCheck('Password123!')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/site-packages/cracklib.py", line 209, in VeryFascistCheck
    FascistCheck(new)
ValueError: it is based on a dictionary word 


3) Use an existing 'System: Change User password' permission and enable it for the service, to let it change passwords for all users:

# ipa permission-show 'System: Change User password'
  Permission name: System: Change User password
  Granted rights: write
  Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, sambantpassword,
                        userpassword
  Default attributes: userpassword, krbprincipalkey, sambantpassword, passwordhistory,
                      sambalmpassword
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,dc=rhel73
  Extra target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=rhel73))
  Type: user
  Permission flags: V2, MANAGED, SYSTEM
  Granted to Privilege: Modify Users and Reset passwords, PassSync Service, User
                        Administrators
  Indirect Member of roles: User Administrator, helpdesk
Comment 27 Vinay Mishra 2018-04-27 12:59:45 UTC 
Hello,

As we are working on password complexity, so may we also consider checking it against below attributes...


1. No telephone number
2. No names/account names, 
3. No birth dates.

or something like this  

Thanks
Vinay
Comment 37 Corey Brown 2019-08-13 15:43:01 UTC 
Hi,

The customer asked the following:

CBOE Have a requirement for significantly better password management than that provided with FreeIPA.
There is also https://pagure.io/389-ds-base/issue/49865, which is more in line with what we would require, however, I can see no movement on this ticket.
We have written a kerberos pwqual plugin that will do this for us, we want to understand the issues if we were to include this within the IPA deployment.


And they supplied a link for the GitHUB creation:

https://github.com/CboeSecurity/password_pwncheck

Can someone look at this and relay any concerns? Would this be supported?

Corey Brown
Comment 39 Corey Brown 2019-08-22 14:27:38 UTC 
Hi Dmitri,

Thanks  for that information.

Corey Brown
Comment 42 Hemant B Khot 2019-10-11 05:45:36 UTC 
Hello Engineering team,

We have below update from CSM: [case# 02039711]
++++++++++++
Red Hat Technical Support team - We recently visited our customer Nokia OneNDS  on August 28th 2019.
This case was highlighted as an example of several open support cases that are now open for a very long period.
Please check with Red Hat Engineering when can we give a proper response to the customer for the case.
I would respectfully request you to try to provide such a response next week (Sep 23rd --->)

Colum Gaynor - Senior Customer Success Manager - EMEA telco + Nokia Account
++++++++++++

Can some one assist?

~Hemant
Comment 49 Rob Crittenden 2020-10-23 13:52:53 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/41021c278ae572ff5b1b3dea828a7dd93fe1ffff
https://pagure.io/freeipa/c/6b452e54045bb957e6f787209b4498eefc5df779
https://pagure.io/freeipa/c/c03b4862b84d52ddc91c5a3fb885b0ebf753d8f2
https://pagure.io/freeipa/c/3fc2eda4e15e9592132062036d70acad3bab401c
https://pagure.io/freeipa/c/c4cca53e88e78bfe512ebe59898ede0f94ec24ff
https://pagure.io/freeipa/c/46d0096218488a961125b6d97a9210b68e5434e5
https://pagure.io/freeipa/c/6da070e655c5d084a825607ed3be604c809b12f0
https://pagure.io/freeipa/c/be2efc12d37018794200fee874f27d83e0442ea4
https://pagure.io/freeipa/c/fe44835970eca197543eb3c908c51a240204d846
https://pagure.io/freeipa/c/68aa7c05542422aca05bec4967133be09a32496e
https://pagure.io/freeipa/c/f602da4b28fcf8822225b80df241eed6b624bf8e
https://pagure.io/freeipa/c/5155280bb4a92eb3dfdee5ca3f3a332f0159d568
Comment 51 Rob Crittenden 2020-10-26 19:53:54 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/04c34dcb33fa2e1ed6103250257c00e03ad93a22
https://pagure.io/freeipa/c/e8232dd0846963b1af7dc96ddbc99c75ef8333d5
https://pagure.io/freeipa/c/4dcb8d98e100d1fad89600b312b301e87d79f704
https://pagure.io/freeipa/c/734afe3896896a5633a926a4af08a58bceb966fd
https://pagure.io/freeipa/c/43cdcad24082bdb8356c44de78bfa69162e0ca6a
https://pagure.io/freeipa/c/cba86e814d44169b0275f908a389b67ddc462ce7
https://pagure.io/freeipa/c/d6a8fc290aa93fc5d53025f4400a9736366175eb
https://pagure.io/freeipa/c/676979eb510f71639ae0ccb16a44b75e3c084245
https://pagure.io/freeipa/c/9627ac4496cd3631250ed21e20157d41d27d6052
https://pagure.io/freeipa/c/60768b7344fcd0ad991ed1dc78c7a8f9784dc031
https://pagure.io/freeipa/c/48801cba3ffb76ba01fa908b13a8ff400423793f
Comment 52 Rob Crittenden 2020-10-27 12:59:17 UTC 
*** Bug 1442413 has been marked as a duplicate of this bug. ***
Comment 55 Rob Crittenden 2020-11-06 21:31:34 UTC 
Add new objectclass to existing policies so they are visible.

Fixed upstream
master:
https://pagure.io/freeipa/c/b60d2d975d79856b1c149ee2136aa813342d39ed
https://pagure.io/freeipa/c/f86250a9a592f2549bc1446c8e3493b256618107
https://pagure.io/freeipa/c/69b42f0c80f392b20526b5ff8155fc1aa633dd7d
Comment 56 Rob Crittenden 2020-11-09 14:38:35 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/c08136f4baa5d4c419897e457dd3f9e52e1841e2
https://pagure.io/freeipa/c/dccaabbc6ae9573125b2d1af615c4f496521b231
https://pagure.io/freeipa/c/5e611bad78d798ec3484b57cb6d676d8c167aee9
Comment 57 Rob Crittenden 2020-11-09 14:42:36 UTC 
fix client-only build.

Fixed upstream
master:
https://pagure.io/freeipa/c/26b9a697844c3bb66bdf83dad3a9738b3cb65361
Comment 58 Rob Crittenden 2020-11-10 16:06:02 UTC 
ipa-4-8:
https://pagure.io/freeipa/c/3e51d443a659513767dffc2b00920004a81e2ef1
Comment 62 Michal Polovka 2020-11-27 09:26:39 UTC 
Verified using package ipa-server-4.9.0-0.1.rc1.module+el8.4.0+8830+62cd648b.x86_64 run on RHEL8.4


test_integration/test_pwpolicy.py::TestPWPolicy::test_maxrepeat PASSED   [ 14%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_maxsequence PASSED [ 28%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_usercheck PASSED   [ 42%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_dictcheck PASSED   [ 57%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_minclasses PASSED  [ 71%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_mod PASSED [ 85%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_add PASSED [100%]

Full log is in attachment of this BZ.
Comment 67 Sumedh Sidhaye 2020-12-17 11:12:04 UTC 
Build used for verification:

ipa-client-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
ipa-client-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch
ipa-selinux-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64
ipa-server-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-dns-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch
ipa-server-trust-ad-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64


test_integration/test_pwpolicy.py::TestPWPolicy::test_maxrepeat PASSED   [ 14%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_maxsequence PASSED [ 28%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_usercheck PASSED   [ 42%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_dictcheck PASSED   [ 57%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_minclasses PASSED  [ 71%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_mod PASSED [ 85%]
test_integration/test_pwpolicy.py::TestPWPolicy::test_minlength_add PASSED [100%]
Comment 69 errata-xmlrpc 2021-05-18 15:47:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846
Note You need to log in before you can comment on or make changes to this bug.