Ubuntu not enforcing password policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote:
> Hello, all.  We're continuing to dive ever deeper into DS.  Our thanks
> to the developers for such a powerful product.
> 
> Our integration with the RedHat family has gone well but now we're
> working on Ubuntu.  Most is working well but we are finding Ubuntu is
> not enforcing password policies.  For example, we require a user to
> change their password after a reset.  When a user logs into a RedHat
> system, they are prompted for the change.  However, Ubuntu just lets
> them right in again and again with the same reset password.
> 
> Any pointers on what to look for to fix this in our configuration before
> we scour the world for a solution? We've already done quite a bit of
> googling.
> 
> We've tried enabling pam_lookup_policy but that didn't
> work.  /etc/pam.d/common-password reads:
> 
> password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3
> password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
> password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
> # here's the fallback if no module succeeds
> password        requisite                       pam_deny.so
> 
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> password        required                        pam_permit.so
> 
> We've also tried disabling that last pam_permit.so.  That didn't help.  Where should we look? Thanks - John

When using PAM, the calling application "knows" that the user's password
needs to be changed because the account management modules signal it, so
you'll want to check the "account" portions of the PAM configuration.

Specifically, you want to ensure that pam_ldap.so is being used, and
that some other module isn't causing the account management function to
return a success code before pam_ldap.so gets a chance to check on the
user's account and return a password-needs-changing code.

Just a guess, but going on what I get on my Fedora system, it might look
something like this:

  account required pam_unix.so
  account sufficient pam_succeed_if.so uid < 500 quiet
  account [[default=bad success=ok user_unknown=ignore] pam_ldap.so
  account required pam_permit.so

HTH,

Nalin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux