Bug 1817043 - IdM password policy misleading error message
Summary: IdM password policy misleading error message
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.7
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-25 13:20 UTC by aheverle
Modified: 2020-03-25 19:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-25 19:17:14 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description aheverle 2020-03-25 13:20:56 UTC
Description of problem:
When using 3 repeated characters a very misleading error message is shown.
Password policy: 
Character lasses: 4
Password length: 9
Password used:  ,Sommmer1
Error Message Web UI: Password is too simple
Error Messages CLI: Password does not contain enough character classes


Version-Release number of selected component (if applicable):
n/a

How reproducible:
everytime

Testing with the password policy below:

#####
[root@rhel7 ~]# ipa pwpolicy-find testpolicy
  Group: testpolicy
  Max lifetime (days): 90
  Min lifetime (hours): 24
  History size: 1
  Character classes: 4
  Min length: 9
  Priority: 1
  Max failures: 6
  Failure reset interval: 900
  Lockout duration: 900
----------------------------
Number of entries returned 1
----------------------------
#####

I assigned the user "steve" to this password policy and assigned the password "test".

Then attempting to use the password ,Sommmer1 failed with "Password does not contain enough character classes"

When I user ,Sommer1! (only 2 "m" but added a "!" for 9th character), it was successful.

#####
[root@rhel7 ~]# ssh steve@localhost
Password: 
Password expired. Change your password now.
Current Password: test
New password: ,Sommmer1
Retype new password: ,Sommmer1
Password change failed. Server message: Password does not contain enough character classes

Password not changed.
 
Password: 
Password expired. Change your password now.
Current Password: test
New password: ,Sommer1!
Retype new password: ,Sommer1!
Last failed login: Wed Mar 18 22:25:06 EDT 2020 from localhost on ssh:notty
There were 4 failed login attempts since the last successful login.
Could not chdir to home directory /home/steve: No such file or directory
-sh-4.2$ 
#####

Comment 2 Florence Blanc-Renaud 2020-03-25 13:49:23 UTC
Hi,

the RHEL 7 documentation "Linux Domain Identity, Authentication, and Policy Guide" has the following section related to password policies: "28.2. How Password Policies Work in IdM" [1] and defines the following:
-----8<-----

 Using a character three or more times in a row decreases the character class by one. For example:

    Secret1 has 3 character classes: uppercase, lowercase, digits
    Secret111 has 2 character classes: uppercase, lowercase, digits, and a -1 penalty for using 1 repeatedly

----->8-----

IMO the behavior is consistent with the doc.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/pwd-policies-how

Comment 3 aheverle 2020-03-25 13:51:51 UTC
(In reply to Florence Blanc-Renaud from comment #2)
> Hi,
> 
> the RHEL 7 documentation "Linux Domain Identity, Authentication, and Policy
> Guide" has the following section related to password policies: "28.2. How
> Password Policies Work in IdM" [1] and defines the following:
> -----8<-----
> 
>  Using a character three or more times in a row decreases the character
> class by one. For example:
> 
>     Secret1 has 3 character classes: uppercase, lowercase, digits
>     Secret111 has 2 character classes: uppercase, lowercase, digits, and a
> -1 penalty for using 1 repeatedly
> 
> ----->8-----
> 
> IMO the behavior is consistent with the doc.
> 
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/linux_domain_identity_authentication_and_policy_guide/pwd-policies-how

Can the message for failure reflect/detect the 3 consecutive characters?

Comment 4 Florence Blanc-Renaud 2020-03-25 18:58:39 UTC
Hi,

I don't think it's possible to handle differently the error if it's caused by 3 repeating characters, as the possible return codes are defined by MIT Kerberos API:
KADM5_PASS_Q_TOOSHORT: password should be longer
KADM5_PASS_Q_CLASS:    password must have more character classes
KADM5_PASS_Q_DICT:     password contains dictionary words
KADM5_PASS_Q_GENERIC:  unspecified quality failure

Comment 5 aheverle 2020-03-25 19:17:14 UTC
(In reply to Florence Blanc-Renaud from comment #4)
> Hi,
> 
> I don't think it's possible to handle differently the error if it's caused
> by 3 repeating characters, as the possible return codes are defined by MIT
> Kerberos API:
> KADM5_PASS_Q_TOOSHORT: password should be longer
> KADM5_PASS_Q_CLASS:    password must have more character classes
> KADM5_PASS_Q_DICT:     password contains dictionary words
> KADM5_PASS_Q_GENERIC:  unspecified quality failure

Thanks!  Should be good to close.


Note You need to log in before you can comment on or make changes to this bug.