Red Hat Bugzilla – Bug 1378461
IPA Allows Password Reuse with History value defined when admin resets the password.
Last modified: 2017-11-06 05:45:37 EST
Description of problem: IPA Allows Old Password Reuse with History value defined when admin resets the password. Version-Release number of selected component (if applicable): ipa-server-4.1.0-18.el7_1.4.x86_64 How reproducible: Always Steps to Reproduce: 1. Modify ipa pwpolicy # ipa pwpolicy-mod --history=10 Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 10 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 2. Reset user password as admin. # ipa user-mod --password tuser 3. Try to set a previously used password # su - user $ passwd Actual results: Allows to Reuse old password Expected results: Password change failed. Server message: New password was used previously. Please choose a different password. Additional info:
IMO this is expected. Password reset by admin ignores password policy.
Testing on master branch, the password updates conform what is documented: Creating a user, enable the global password policy with history (6). Directory manager assign password: value0 Being bound as the user, assign: value1 .. Being bound as the user, assign: value6 Directory manager assign password: value7 Being bound as the user(with value7 password), update the password to set: value4 it fails: Constraint violation (19) additional info: password in history would it be possible to get more detailed reproducible steps (especially with the effective values set for the password). Also before updating the password, could you provide ldapsearch -D "cn=directory manager" -w xxxx -b "<user_dn" nscpentrywsi Then the same command after the update of the password.
Thierry, the difference can be that you used LDAP-only way. I can reproduce with the steps from comment 3: [pvoborni@test ~]$ ipa passwd Current Password: New Password: Enter New Password again to verify: ---------------------------------------------------------------------- Changed password for "fbar@EXAMPLE.TEST" ---------------------------------------------------------------------- [pvoborni@test ~]$ ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted [pvoborni@test ~]$ kdestroy -A [pvoborni@test ~]$ kinit admin Password for admin@EXAMPLE.TEST: [pvoborni@test ~]$ ipa passwd fbar New Password: Enter New Password again to verify: ---------------------------------------------------------------------- Changed password for "fbar@EXAMPLE.TEST" ---------------------------------------------------------------------- [pvoborni@test ~]$ kdestroy -A [pvoborni@test ~]$ kinit admin Password for admin@EXAMPLE.TEST: kinit: Password read interrupted while getting initial credentials [pvoborni@test ~]$ kinit fbar Password for fbar@EXAMPLE.TEST: Password expired. You must change it now. Enter new password: Enter it again: in short: value1 - set value1 - try to reuse - fail value2 - set by admin - success value1 - reused - success
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6402
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c223130d5f429278202aaf8bf87af53911a3b448
Verified ipa-server-4.5.0-13.el7.x86_64 # ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 10 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 # ipa passwd user1 New Password: Enter New Password again to verify: # kdestroy -A # kinit user1 Password for user1@SSHEXSM38.TEST: Password expired. You must change it now. Enter new password: Enter it again: Password change rejected: New password was used previously. Please choose a different password.. Please try again. Enter new password:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304