Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1442413
Description of problem: There's no way to configure IPA's password policy to required a new password to be sufficiently different from the old one. By next year, this will make IPA unusable on all Redhat systems that need to meet U.S. DoD hardening requirements. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. try to configure password policy to check for difference 2. 3. Actual results: Can't configure Expected results: Can configure IPA password policy to have at least identical functionality to the PAM difok option. Additional info: A workaround is to somehow disable the web interface, and uninstall IPA CLI tools from all systems. Then users have to go through PAM to change their passwords. However, I'm not sure if this will apply to kinit. A complicated workaround is to launch a program when a user logs in that tries to match the hash of the previous password by generating permutations of the current one. This would either have to be run at every login, or every few logins, and would require the ability to retrieve the password history from the IPA server. Yes, this is a terrible workaround.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1442413
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
master:
ipa-4-8:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.