Ubuntu not enforcing password policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2008-12-01 at 14:33 -0500, John A. Sullivan III wrote:
> On Mon, 2008-12-01 at 13:36 -0500, Nalin Dahyabhai wrote:
> > On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote:
> > > Hello, all.  We're continuing to dive ever deeper into DS.  Our thanks
> > > to the developers for such a powerful product.
> > > 
> > > Our integration with the RedHat family has gone well but now we're
> > > working on Ubuntu.  Most is working well but we are finding Ubuntu is
> > > not enforcing password policies.  For example, we require a user to
> > > change their password after a reset.  When a user logs into a RedHat
> > > system, they are prompted for the change.  However, Ubuntu just lets
> > > them right in again and again with the same reset password.
> > > 
> > > Any pointers on what to look for to fix this in our configuration before
> > > we scour the world for a solution? We've already done quite a bit of
> > > googling.
> > > 
> > > We've tried enabling pam_lookup_policy but that didn't
> > > work.  /etc/pam.d/common-password reads:
> > > 
> > > password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3
> > > password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
> > > password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
> > > # here's the fallback if no module succeeds
> > > password        requisite                       pam_deny.so
> > > 
> > > # prime the stack with a positive return value if there isn't one already;
> > > # this avoids us returning an error just because nothing sets a success code
> > > # since the modules above will each just jump around
> > > password        required                        pam_permit.so
> > > 
> > > We've also tried disabling that last pam_permit.so.  That didn't help.  Where should we look? Thanks - John
> > 
> > When using PAM, the calling application "knows" that the user's password
> > needs to be changed because the account management modules signal it, so
> > you'll want to check the "account" portions of the PAM configuration.
> > 
> > Specifically, you want to ensure that pam_ldap.so is being used, and
> > that some other module isn't causing the account management function to
> > return a success code before pam_ldap.so gets a chance to check on the
> > user's account and return a password-needs-changing code.
> > 
> > Just a guess, but going on what I get on my Fedora system, it might look
> > something like this:
> > 
> >   account required pam_unix.so
> >   account sufficient pam_succeed_if.so uid < 500 quiet
> >   account [[default=bad success=ok user_unknown=ignore] pam_ldap.so
> >   account required pam_permit.so
> > 
> > HTH,
> > 
> > Nalin
> > 
> > --
> <snip>
> Thank you.  That was it.  It had autoconfigured with ldap first:
> 
> account sufficient pam_ldap.so
> account        required        pam_unix.so
> 
Oops! I spoke too soon. Now, after changing the password, I cannot log
in.  If I change it back to the original order, I can.  I'll have to dig
a little further - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux