Re: [Ltb-users] check_password.conf confusion

Louis Abel Fri, 29 Jan 2016 00:00:11 -0800

Thank you. I'll keep that in mind. I will register.

And it appears that is the case. I must have been misunderstanding. From my test, setting it to minPoints to 3, it works as expected. Fails with two categories but passes with three.

Thank you!

-L

On Jan 28, 2016 9:06 AM, Clément OUDOT <[email protected]> wrote:

Le 28/01/2016 04:17, Louis Abel a écrit :

Hello.

I’m having a bit of trouble understanding how the password policy works in regards to the check_password.so module. This is my issue, using the openldap RPM’s.

Below is the configuration for the check_password.conf.

[root@phdevl09 ~]# cat /etc/openldap/check_password.conf

# OpenLDAP pwdChecker library configuration

useCracklib 1

minPoints 2

minUpper 1

minLower 1

minDigit 1

minPunct 1

Below is the logs when a password change attempt is happening. I’m attempting to use a password that uses upper, lower, digit. No punctuation.

#### Logs

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: conn=19337 op=1 PASSMOD new

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line |useCracklib 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [useCracklib]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word = useCracklib, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line |minPoints 2#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minPoints]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word = minPoints, value = 2

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line |minUpper 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minUpper]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word = minUpper, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line |minLower 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minLower]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word = minLower, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line |minDigit 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minDigit]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word = minDigit, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line |minPunct 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minPunct]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word = minPunct, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line |#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found digit character - quality raise 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found lower character - quality raise 2

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found upper character - quality raise 3

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Reallocating szErrStr from 64 to 211

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password_quality: module error: (check_password.so) Password for dn="uid=tester_nalika,ou=People,o=POG,dc=example,dc=com" does not pass required number of strength checks for the required character sets (3 of 2).[1]

Clearly this fails. 3 of 2? If I attempt to use punctuation, then the password is accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: conn=19339 op=1 PASSMOD new

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line |useCracklib 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [useCracklib]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word = useCracklib, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line |minPoints 2#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minPoints]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word = minPoints, value = 2

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line |minUpper 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minUpper]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word = minUpper, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line |minLower 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minLower]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word = minLower, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line |minDigit 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minDigit]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word = minDigit, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line |minPunct 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating parameter [minPunct]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word = minPunct, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line |#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found lower character - quality raise 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found digit character - quality raise 2

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found upper character - quality raise 3

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found punctuation character - quality raise 4

Why is this? Am I misunderstanding out minPoints works? I didn’t want to submit a Bugzilla because I don’t think this is really a “bug”, but a misconfiguration on my part somewhere.

Hello Louis,

first, you need to register to be able to post to the list and receive answers, see : http://lists.ltb-project.org/listinfo/ltb-users

Regarding your question, you set minPoints but also minUpper, minLower, ..., so a password can only be valid with at least one upper, one lower, one digit and one punct. The log message is not clear, but the behavior is normal.

If you use minPoints, you should maybe not use the other configuration parameters, or configure them with precaution.
-- 
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux

_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users

Re: [Ltb-users] check_password.conf confusion

Reply via email to