#6964 IPA password policy has no password difference checking
Opened 2 years ago by pvoborni. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1442413

Description of problem:

There's no way to configure IPA's password policy to required a new password to
be sufficiently different from the old one.

By next year, this will make IPA unusable on all Redhat systems that need to
meet U.S. DoD hardening requirements.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. try to configure password policy to check for difference
2.
3.

Actual results:
Can't configure

Expected results:
Can configure IPA password policy to have at least identical functionality to
the PAM difok option.

Additional info:

A workaround is to somehow disable the web interface, and uninstall IPA CLI
tools from all systems. Then users have to go through PAM to change their
passwords. However, I'm not sure if this will apply to kinit.

A complicated workaround is to launch a program when a user logs in that tries
to match the hash of the previous password by generating permutations of the
current one. This would either have to be run at every login, or every few
logins, and would require the ability to retrieve the password history from the
IPA server. Yes, this is a terrible workaround.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1442413

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1442413

2 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata