Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1378461
Description of problem: IPA Allows Old Password Reuse with History value defined when admin resets the password. Version-Release number of selected component (if applicable): ipa-server-4.1.0-18.el7_1.4.x86_64 How reproducible: Always Steps to Reproduce: [root@rhel7-ipa-2 ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 10 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ----------------------------------------------------------------------------- $ passwd Changing password for user tuser. Current Password: New password: <============= old password 1 Retype new password: Password change failed. Server message: New password was used previously. Please choose a different password. passwd: Authentication token manipulation error <======== expected result ------------------------------------------------------------------------------------ [root@rhel7-ipa-2 ~]#ipa user-mod --password tuser Password: ------------------------------------------------------------------------------------ [tuser@rhel7-ipa-2 ~]$ passwd Changing password for user tuser. Current Password: New password: <=========== Old password 1 Retype new password: passwd: all authentication tokens updated successfully. <=======allowed to reset to old password Actual results: Allows to Reuse old password Expected results: Password change failed. Server message: New password was used previously. Please choose a different password. Additional info:
Some investigation is done in the linked BZ.
attachment 0001-IPA-Allows-Password-Reuse-with-History-value-defined.patch
master:
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.