test password policy through pam stack, like add "sudo -u IPA_USER" before ipa command, the history size is shirked by 1.
let history = 3, when do "sudo -u IPA_user ipa passwd", the actual history size = 2, please find out from the following test
## modify password policy ## [root@banana (RH6.4-i386) ~] ipa pwpolicy-mod --minlife=0 --history=3 Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 0 History size: 3 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ## clean start ## [root@banana (RH6.4-i386) ~] sudo -u testuser30218 klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_297400005) ## starting point: password "redhat000" works ## [root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 kinit Password for testuser30218@YZHANG.REDHAT.COM: [root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 klist Ticket cache: FILE:/tmp/krb5cc_297400005 Default principal: testuser30218@YZHANG.REDHAT.COM Valid starting Expires Service principal 06/05/13 13:15:52 06/06/13 13:15:52 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM ## change password from "redhat000" to "redhat001" ## [root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log' Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser30218@YZHANG.REDHAT.COM" ------------------------------------------------------ [root@banana (RH6.4-i386) ~] echo redhat001 | sudo -u testuser30218 kinit Password for testuser30218@YZHANG.REDHAT.COM: [root@banana (RH6.4-i386) ~] echo redhat001 | sudo -u testuser30218 klist Ticket cache: FILE:/tmp/krb5cc_297400005 Default principal: testuser30218@YZHANG.REDHAT.COM Valid starting Expires Service principal 06/05/13 13:16:32 06/06/13 13:16:32 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM ## change password from "redhat001" to "redhat002" -- up till this point, user password history ## pool is: "redhat002" (current), "redhat001" and "redhat000" ## [root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log' Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser30218@YZHANG.REDHAT.COM" ------------------------------------------------------ [root@banana (RH6.4-i386) ~] echo "at this point, ipa user testuser30218 has password history of: redhat000, redhat001, redhat002, since history size=3, it means this user can not use these 3 passwords" at this point, ipa user testuser30218 has password history of: redhat000, redhat001, redhat002, since history size=3, it means this user can not use these 3 passwords [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] echo "test show current password redhat002 is valid" test show current password redhat002 is valid [root@banana (RH6.4-i386) ~] echo redhat002 | sudo -u testuser30218 kinit Password for testuser30218@YZHANG.REDHAT.COM: ## change password from "redhat002" to "redhat002" failed as expected ## [root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log' Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted ## change password from "redhat002" to "redhat001" failed as expected ## [root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log' Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted ############################################################################# ## change password from "redhat002" to "redhat000" success is NOT expected ## ############################################################################# [root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log' Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser30218@YZHANG.REDHAT.COM" ------------------------------------------------------ [root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 kinit Password for testuser30218@YZHANG.REDHAT.COM: [root@banana (RH6.4-i386) ~] sudo -u testuser30218 klist Ticket cache: FILE:/tmp/krb5cc_297400005 Default principal: testuser30218@YZHANG.REDHAT.COM Valid starting Expires Service principal 06/05/13 13:20:57 06/06/13 13:20:57 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM
for comparison, if we do not use "sudo -u" to execute ipa passwd command, then it works fine, as below test:
[root@banana (RH6.4-i386) ~] kinit testuser10091 Password for testuser10091@YZHANG.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@banana (RH6.4-i386) ~] echo redhat000 | kinit testuser10091 Password for testuser10091@YZHANG.REDHAT.COM: [root@banana (RH6.4-i386) ~] ipa passwd Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser10091@YZHANG.REDHAT.COM" ------------------------------------------------------ [root@banana (RH6.4-i386) ~] echo redhat001 | kinit testuser10091 Password for testuser10091@YZHANG.REDHAT.COM: [root@banana (RH6.4-i386) ~] ipa passwd Current Password: New Password: Enter New Password again to verify: ------------------------------------------------------ Changed password for "testuser10091@YZHANG.REDHAT.COM" ------------------------------------------------------ [root@banana (RH6.4-i386) ~] echo redhat002 | kinit testuser10091 Password for testuser10091@YZHANG.REDHAT.COM: [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat002" now , change redhat002 -> redhat002 [root@banana (RH6.4-i386) ~] ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] [root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat001" now , change redhat002 -> redhat001 [root@banana (RH6.4-i386) ~] ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted [root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat000" now , change redhat002 -> redhat000 [root@banana (RH6.4-i386) ~] ipa passwd Current Password: New Password: Enter New Password again to verify: ipa: ERROR: Constraint violation: Password reuse not permitted
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=973203
I tested this, I do not think that PAM stack makes any difference in this (history is handle and verified on server). You also used "ipa passwd" command which is evaluated on the server as well.
I only discovered that there is a problem with initial password
# echo "Secret000" | ipa user-add --first=Foo --last=Bar fbar1 --password ------------------ Added user "fbar1" ------------------ User login: fbar1 First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/fbar1 GECOS field: Foo Bar Login shell: /bin/sh Kerberos principal: fbar1@IDM.LAB.BOS.REDHAT.COM Email address: fbar1@idm.lab.bos.redhat.com UID: 1802000070 GID: 1802000070 Password: True Member of groups: ipausers Kerberos keys available: True [root@vm-119 ~]# su fbar1 -c 'OLD=0; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kinit' Password for fbar1@IDM.LAB.BOS.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@vm-119 ~]# su fbar1 -c 'OLD=1; NEW=0; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd' Last login: Wed Jun 12 22:42:09 EDT 2013 on pts/0 Password for fbar1@IDM.LAB.BOS.REDHAT.COM: Enter new password: Enter it again: Password changed.
Standard password changes is caught correctly:
# su fbar1 -c 'OLD=0; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd' Last login: Wed Jun 12 22:42:26 EDT 2013 on pts/0 Password for fbar1@IDM.LAB.BOS.REDHAT.COM: Enter new password: Enter it again: Password change rejected: New password was used previously. Please choose a different password.
When initial password is disregarded, history seems ok:
# echo "Secret000" | ipa user-add --first=Foo --last=Bar fbar1 --password ------------------ Added user "fbar1" ------------------ User login: fbar1 First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/fbar1 GECOS field: Foo Bar Login shell: /bin/sh Kerberos principal: fbar1@IDM.LAB.BOS.REDHAT.COM Email address: fbar1@idm.lab.bos.redhat.com UID: 1802000065 GID: 1802000065 Password: True Member of groups: ipausers Kerberos keys available: True [root@vm-119 ~]# su fbar1 -c 'OLD=0; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kinit' Last login: Tue Jun 11 22:12:16 EDT 2013 on pts/0 Password for fbar1@IDM.LAB.BOS.REDHAT.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@vm-119 ~]# su fbar1 -c 'OLD=1; NEW=2; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd' Last login: Tue Jun 11 22:13:43 EDT 2013 on pts/0 Password for fbar1@IDM.LAB.BOS.REDHAT.COM: Enter new password: Enter it again: Password changed. [root@vm-119 ~]# su fbar1 -c 'OLD=2; NEW=3; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd' Last login: Tue Jun 11 22:13:56 EDT 2013 on pts/0 Password for fbar1@IDM.LAB.BOS.REDHAT.COM: Enter new password: Enter it again: Password changed. [root@vm-119 ~]# su fbar1 -c 'OLD=3; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd' Last login: Tue Jun 11 22:14:01 EDT 2013 on pts/0 Password for fbar1@IDM.LAB.BOS.REDHAT.COM: Enter new password: Enter it again: Password change rejected: New password was used previously. Please choose a different password.
I verified with IPA 3.0 that this is not a regression, initial password was also disregarded in the history.
Simo or Rob - is this the desired behavior? If now, do you have an idea where could be the issue?
I tried to do some logging in ipa-pwd-extop and also ipa-kdb plugins, but I could not spot where the initial password is being added to the passwordHistory attribute.
passwordHistory
Moving open tickets to next month bucket.
Since this is not a regression, moving to NEEDS_TRIAGE to re-consider the target release.
Moving to next month milestone.
Moving to next month iteration.
Starting to shape next release
This is not a priority for next release, pushing out. Help welcome!
Metadata Update from @yizhangid: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.