Bug 1378461 - IPA Allows Password Reuse with History value defined when admin resets the password. [NEEDINFO]
Summary: IPA Allows Password Reuse with History value defined when admin resets the pa...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.1
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Varun Mylaraiah
URL:
Whiteboard:
Depends On:
Blocks: 1509918
TreeView+ depends on / blocked
 
Reported: 2016-09-22 13:12 UTC by Arya Rajendran
Modified: 2017-11-06 10:45 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1509918 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:42:02 UTC
Target Upstream Version:
tbordaz: needinfo? (arajendr)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Arya Rajendran 2016-09-22 13:12:53 UTC
Description of problem:

IPA Allows Old Password Reuse with History value defined when admin resets the password.


Version-Release number of selected component (if applicable):
ipa-server-4.1.0-18.el7_1.4.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Modify ipa pwpolicy
# ipa pwpolicy-mod --history=10
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 10
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600


2. Reset user password as admin.

# ipa user-mod --password tuser


3. Try to set a previously used password

# su - user
$ passwd

Actual results:

Allows to Reuse old password

Expected results:

Password change failed. Server message: New password was used previously. Please choose a different password.

Additional info:

Comment 1 Petr Vobornik 2016-09-22 13:38:33 UTC
IMO this is expected. Password reset by admin ignores password policy.

Comment 5 thierry bordaz 2016-10-10 14:52:19 UTC
Testing on master branch, the password updates conform what is documented:

Creating a user, enable the global password policy with history (6).
Directory manager assign password: value0
Being bound as the user, assign: value1
..
Being bound as the user, assign: value6

Directory manager assign password: value7
Being bound as the user(with value7 password), update the password to set: value4
it fails:
Constraint violation (19)
	additional info: password in history

would it be possible to get more detailed reproducible steps (especially with the effective values set for the password).
Also before updating the password, could you provide 
ldapsearch -D "cn=directory manager" -w xxxx -b "<user_dn" nscpentrywsi

Then the same command after the update of the password.

Comment 6 Petr Vobornik 2016-10-10 15:10:57 UTC
Thierry, the difference can be that you used LDAP-only way.

I can reproduce with the steps from comment 3:

[pvoborni@test ~]$ ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
----------------------------------------------------------------------
Changed password for "fbar@EXAMPLE.TEST"
----------------------------------------------------------------------
[pvoborni@test ~]$ ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted
[pvoborni@test ~]$ kdestroy -A
[pvoborni@test ~]$ kinit admin
Password for admin@EXAMPLE.TEST: 
[pvoborni@test ~]$ ipa passwd fbar
New Password: 
Enter New Password again to verify: 
----------------------------------------------------------------------
Changed password for "fbar@EXAMPLE.TEST"
----------------------------------------------------------------------
[pvoborni@test ~]$ kdestroy -A
[pvoborni@test ~]$ kinit admin
Password for admin@EXAMPLE.TEST: 
kinit: Password read interrupted while getting initial credentials
[pvoborni@test ~]$ kinit fbar
Password for fbar@EXAMPLE.TEST: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

in short:
value1 - set
value1 - try to reuse - fail
value2 - set by admin - success
value1 - reused - success

Comment 8 Petr Vobornik 2016-10-14 12:12:25 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6402

Comment 10 Martin Babinsky 2016-11-24 16:02:57 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c223130d5f429278202aaf8bf87af53911a3b448

Comment 12 Varun Mylaraiah 2017-05-29 18:13:46 UTC
Verified 
ipa-server-4.5.0-13.el7.x86_64

# ipa pwpolicy-show 
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 10
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

# ipa passwd user1
New Password: 
Enter New Password again to verify: 

# kdestroy -A

# kinit user1
Password for user1@SSHEXSM38.TEST: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Password change rejected: New password was used previously. Please choose a different password..  Please try again.

Enter new password:

Comment 13 errata-xmlrpc 2017-08-01 09:42:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.