Hide Forgot
Description of problem: When using 3 repeated characters a very misleading error message is shown. Password policy: Character lasses: 4 Password length: 9 Password used: ,Sommmer1 Error Message Web UI: Password is too simple Error Messages CLI: Password does not contain enough character classes Version-Release number of selected component (if applicable): n/a How reproducible: everytime Testing with the password policy below: ##### [root@rhel7 ~]# ipa pwpolicy-find testpolicy Group: testpolicy Max lifetime (days): 90 Min lifetime (hours): 24 History size: 1 Character classes: 4 Min length: 9 Priority: 1 Max failures: 6 Failure reset interval: 900 Lockout duration: 900 ---------------------------- Number of entries returned 1 ---------------------------- ##### I assigned the user "steve" to this password policy and assigned the password "test". Then attempting to use the password ,Sommmer1 failed with "Password does not contain enough character classes" When I user ,Sommer1! (only 2 "m" but added a "!" for 9th character), it was successful. ##### [root@rhel7 ~]# ssh steve@localhost Password: Password expired. Change your password now. Current Password: test New password: ,Sommmer1 Retype new password: ,Sommmer1 Password change failed. Server message: Password does not contain enough character classes Password not changed. Password: Password expired. Change your password now. Current Password: test New password: ,Sommer1! Retype new password: ,Sommer1! Last failed login: Wed Mar 18 22:25:06 EDT 2020 from localhost on ssh:notty There were 4 failed login attempts since the last successful login. Could not chdir to home directory /home/steve: No such file or directory -sh-4.2$ #####
Hi, the RHEL 7 documentation "Linux Domain Identity, Authentication, and Policy Guide" has the following section related to password policies: "28.2. How Password Policies Work in IdM" [1] and defines the following: -----8<----- Using a character three or more times in a row decreases the character class by one. For example: Secret1 has 3 character classes: uppercase, lowercase, digits Secret111 has 2 character classes: uppercase, lowercase, digits, and a -1 penalty for using 1 repeatedly ----->8----- IMO the behavior is consistent with the doc. [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/pwd-policies-how
(In reply to Florence Blanc-Renaud from comment #2) > Hi, > > the RHEL 7 documentation "Linux Domain Identity, Authentication, and Policy > Guide" has the following section related to password policies: "28.2. How > Password Policies Work in IdM" [1] and defines the following: > -----8<----- > > Using a character three or more times in a row decreases the character > class by one. For example: > > Secret1 has 3 character classes: uppercase, lowercase, digits > Secret111 has 2 character classes: uppercase, lowercase, digits, and a > -1 penalty for using 1 repeatedly > > ----->8----- > > IMO the behavior is consistent with the doc. > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ > html/linux_domain_identity_authentication_and_policy_guide/pwd-policies-how Can the message for failure reflect/detect the 3 consecutive characters?
Hi, I don't think it's possible to handle differently the error if it's caused by 3 repeating characters, as the possible return codes are defined by MIT Kerberos API: KADM5_PASS_Q_TOOSHORT: password should be longer KADM5_PASS_Q_CLASS: password must have more character classes KADM5_PASS_Q_DICT: password contains dictionary words KADM5_PASS_Q_GENERIC: unspecified quality failure
(In reply to Florence Blanc-Renaud from comment #4) > Hi, > > I don't think it's possible to handle differently the error if it's caused > by 3 repeating characters, as the possible return codes are defined by MIT > Kerberos API: > KADM5_PASS_Q_TOOSHORT: password should be longer > KADM5_PASS_Q_CLASS: password must have more character classes > KADM5_PASS_Q_DICT: password contains dictionary words > KADM5_PASS_Q_GENERIC: unspecified quality failure Thanks! Should be good to close.