#3694 Initial user password is disregarded in FreeIPA password policy check
Opened 10 years ago by yizhangid. Modified 7 years ago

test password policy through pam stack, like add "sudo -u IPA_USER" before ipa command, the history size is shirked by 1.

let history = 3,
when do "sudo -u IPA_user ipa passwd", the actual history size = 2, please find out from the following test

## modify password policy ##
[root@banana (RH6.4-i386) ~] ipa pwpolicy-mod --minlife=0 --history=3 
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 0
  History size: 3
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

## clean start ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_297400005)

## starting point: password "redhat000" works ##
[root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 kinit
Password for testuser30218@YZHANG.REDHAT.COM: 
[root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 klist
Ticket cache: FILE:/tmp/krb5cc_297400005
Default principal: testuser30218@YZHANG.REDHAT.COM

Valid starting     Expires            Service principal
06/05/13 13:15:52  06/06/13 13:15:52  krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM

## change password from "redhat000" to "redhat001" ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser30218@YZHANG.REDHAT.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat001 | sudo -u testuser30218 kinit
Password for testuser30218@YZHANG.REDHAT.COM: 
[root@banana (RH6.4-i386) ~] echo redhat001 | sudo -u testuser30218 klist
Ticket cache: FILE:/tmp/krb5cc_297400005
Default principal: testuser30218@YZHANG.REDHAT.COM

Valid starting     Expires            Service principal
06/05/13 13:16:32  06/06/13 13:16:32  krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM

## change password from "redhat001" to "redhat002" -- up till this point, user password history
## pool is: "redhat002" (current), "redhat001" and "redhat000" ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser30218@YZHANG.REDHAT.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo "at this point, ipa user testuser30218 has password history of: redhat000, redhat001, redhat002, since history size=3, it means this user can not use these 3 passwords"
at this point, ipa user testuser30218 has password history of: redhat000, redhat001, redhat002, since history size=3, it means this user can not use these 3 passwords
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] echo "test show current password redhat002 is valid"
test show current password redhat002 is valid
[root@banana (RH6.4-i386) ~] echo redhat002 | sudo -u testuser30218 kinit
Password for testuser30218@YZHANG.REDHAT.COM:

## change password from "redhat002" to "redhat002" failed as expected ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted

## change password from "redhat002" to "redhat001" failed as expected ##
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password:  
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted

#############################################################################
## change password from "redhat002" to "redhat000" success is NOT expected ##
#############################################################################
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 ipa passwd
ipa: ERROR: Could not create log_dir u'/home/testuser30218/.ipa/log'
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser30218@YZHANG.REDHAT.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat000 | sudo -u testuser30218 kinit
Password for testuser30218@YZHANG.REDHAT.COM: 
[root@banana (RH6.4-i386) ~] sudo -u testuser30218 klist
Ticket cache: FILE:/tmp/krb5cc_297400005
Default principal: testuser30218@YZHANG.REDHAT.COM

Valid starting     Expires            Service principal
06/05/13 13:20:57  06/06/13 13:20:57  krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM

for comparison, if we do not use "sudo -u" to execute ipa passwd command, then it works fine, as below test:

[root@banana (RH6.4-i386) ~] kinit testuser10091
Password for testuser10091@YZHANG.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@banana (RH6.4-i386) ~] echo redhat000 | kinit testuser10091
Password for testuser10091@YZHANG.REDHAT.COM: 
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser10091@YZHANG.REDHAT.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat001 | kinit testuser10091
Password for testuser10091@YZHANG.REDHAT.COM: 
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
------------------------------------------------------
Changed password for "testuser10091@YZHANG.REDHAT.COM"
------------------------------------------------------
[root@banana (RH6.4-i386) ~] echo redhat002 | kinit testuser10091
Password for testuser10091@YZHANG.REDHAT.COM: 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat002"
now , change redhat002 -> redhat002
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] 
[root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat001"
now , change redhat002 -> redhat001
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted
[root@banana (RH6.4-i386) ~] echo "now , change redhat002 -> redhat000"
now , change redhat002 -> redhat000
[root@banana (RH6.4-i386) ~] ipa passwd
Current Password: 
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Constraint violation: Password reuse not permitted

I tested this, I do not think that PAM stack makes any difference in this (history is handle and verified on server). You also used "ipa passwd" command which is evaluated on the server as well.

I only discovered that there is a problem with initial password

# echo "Secret000" | ipa user-add --first=Foo --last=Bar fbar1 --password 
------------------
Added user "fbar1"
------------------
  User login: fbar1
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar1
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: fbar1@IDM.LAB.BOS.REDHAT.COM
  Email address: fbar1@idm.lab.bos.redhat.com
  UID: 1802000070
  GID: 1802000070
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@vm-119 ~]# su fbar1 -c 'OLD=0; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kinit'
Password for fbar1@IDM.LAB.BOS.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@vm-119 ~]# su fbar1 -c 'OLD=1; NEW=0; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd'
Last login: Wed Jun 12 22:42:09 EDT 2013 on pts/0
Password for fbar1@IDM.LAB.BOS.REDHAT.COM: 
Enter new password: 
Enter it again: 
Password changed.

Standard password changes is caught correctly:

# su fbar1 -c 'OLD=0; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd'
Last login: Wed Jun 12 22:42:26 EDT 2013 on pts/0
Password for fbar1@IDM.LAB.BOS.REDHAT.COM: 
Enter new password: 
Enter it again: 
Password change rejected: New password was used previously. Please choose a different password.

When initial password is disregarded, history seems ok:

# echo "Secret000" | ipa user-add --first=Foo --last=Bar fbar1 --password 
------------------
Added user "fbar1"
------------------
  User login: fbar1
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/fbar1
  GECOS field: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: fbar1@IDM.LAB.BOS.REDHAT.COM
  Email address: fbar1@idm.lab.bos.redhat.com
  UID: 1802000065
  GID: 1802000065
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@vm-119 ~]# su fbar1 -c 'OLD=0; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kinit'
Last login: Tue Jun 11 22:12:16 EDT 2013 on pts/0
Password for fbar1@IDM.LAB.BOS.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@vm-119 ~]# su fbar1 -c 'OLD=1; NEW=2; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd'
Last login: Tue Jun 11 22:13:43 EDT 2013 on pts/0
Password for fbar1@IDM.LAB.BOS.REDHAT.COM: 
Enter new password: 
Enter it again: 
Password changed.
[root@vm-119 ~]# su fbar1 -c 'OLD=2; NEW=3; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd'
Last login: Tue Jun 11 22:13:56 EDT 2013 on pts/0
Password for fbar1@IDM.LAB.BOS.REDHAT.COM: 
Enter new password: 
Enter it again: 
Password changed.
[root@vm-119 ~]# su fbar1 -c 'OLD=3; NEW=1; ( echo "Secret00$OLD"; echo "Secret00$NEW"; echo "Secret00$NEW" ) | kpasswd'
Last login: Tue Jun 11 22:14:01 EDT 2013 on pts/0
Password for fbar1@IDM.LAB.BOS.REDHAT.COM: 
Enter new password: 
Enter it again: 
Password change rejected: New password was used previously. Please choose a different password.

I verified with IPA 3.0 that this is not a regression, initial password was also disregarded in the history.

Simo or Rob - is this the desired behavior? If now, do you have an idea where could be the issue?

I tried to do some logging in ipa-pwd-extop and also ipa-kdb plugins, but I could not spot where the initial password is being added to the passwordHistory attribute.

Moving open tickets to next month bucket.

Since this is not a regression, moving to NEEDS_TRIAGE to re-consider the target release.

Moving to next month milestone.

Moving to next month iteration.

Starting to shape next release

This is not a priority for next release, pushing out. Help welcome!

Metadata Update from @yizhangid:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Login to comment on this ticket.

Metadata