Closed lfrede closed 9 months ago
rcritten
commented
9 months ago The dictionary should be in /usr/share/cracklib/pw_dict.*
You may get a more specific error, including the failed path, if you shell into the container and run something like: echo password | cracklib-check
lfrede
commented
9 months ago Hi rcritten,
Thanks for your reply,
Indeed i forgot to mention that this path actually exist and is populated with cracklib-small., cracklib.magic and pw_dict.hwm. (hwm, pwd and pwi),
Using "echo
rcritten
commented
9 months ago I can't reproduce this outside of a container. I don't work on containerization and have no idea how to troubleshoot this, particularly since cracklib otherwise works inside the container. The IPA password plugin is linked against libpwquality which does the cracklib call so there are quite a few moving parts.
adelton
commented
9 months ago @lfrede This testhost that you are ssh-ing to, what OS is that? Is that a IPA-enrolled client system?
@rcritten Thanks for checking it outside of containers, that's valuable. What is the mechanism the sshd on the IPA-enrolled machine checks the password using the FreeIPA server? I assume we talk about the password PAM management group. Is that handled by the SSSD and does SSSD make some API call to the FreeIPA server to verify the password?
abbra
commented
9 months ago @adelton yes, SSSD handles it. For IPA environment it would do Kerberos authentication using that password.
adelton
commented
9 months ago Umm, so SSSD would do Kerberos authentication to verify that password upon its change? Or would it run (the equivalent of?) kpasswd?
abbra
commented
9 months ago On a password change it would do equivalent of kpasswd, yes.
adelton
commented
9 months ago So we may assume that that The password fails the dictionary check - error loading dictionary comes from the FreeIPA server (in the container).
@lfrede Can you check docker exec -ti freeipa kpasswd testuser to see what you get directly in the FreeIPA container?
adelton
commented
9 months ago @abbra And is kpasswd expected to do the password quality check?
On my setup I get
echo password | podman exec -i freeipa-master cracklib-check
password: it is based on a dictionary wordbut
podman exec -ti freeipa-master kpasswd bob
Password for bob@EXAMPLE.TEST:
Enter new password:
Enter it again:
Password changed.passes just fine, with password as the new password.
rcritten
commented
9 months ago The check is not done by default. The password policy needs to be enabled: ipa pwpolicy-mod --dictcheck=True
adelton
commented
9 months ago Ahh, good to know. Now I get:
$ podman exec -ti freeipa-master ipa pwpolicy-mod --dictcheck=True --minlife=0
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 0
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
Dictionary check: True
Grace login limit: -1
$ podman exec -ti freeipa-master kpasswd bob
Password for bob@EXAMPLE.TEST:
Enter new password:
Enter it again:
Password change rejected: New password was found in a dictionary of possible passwords and
therefore may be easily guessed. Please choose another password.
See the kpasswd man page for help in choosing a good password.@lfrede Can you reproduce this behaviour?
lfrede
commented
9 months ago Hello Everyone,
Thank you very much for your answers (i was off yesterday),
So before anything i executed your commands : I'm able within the freeipa server to change the password using kpasswd without having dictionary issues, Setting up the dictionary check : ipa pwpolicy-mod --dictcheck=True --minlife=0,
I'm sorry, i realized it was because i didnt had checklib locally installed ... I was expecting it to be done from freeipa, (FYI freeipa is contenerized, but the enrolled client is a VM on Ubuntu Jammy). So i installed the checklibs locally and the error did not shown again, i was able to change the password, but it didnt check the dictionary. Although i used dictionary words in my pwd (theworld...), the password has been validated without mentioning the dictionary.
The user im testing doesnt exist locally so it cannot be due to a conflicting local user, I enrolled the client using freeipa-client (/usr/sbin/ipa-client-install --mkhomedir --no-ntp --principal={{ username }} --password={{ secret }}"),
So this behavior is weird because it seems that im not in control of some password policies from freeipa,
rcritten
commented
9 months ago I don't know why installing cracklib locally would affect anything. The enforcement is done within the server so it should have been something inside the container itself. This is independent of the client OS and password change mechanism (kerberos, LDAP, pam, nss).
lfrede
commented
9 months ago If i run the following on the host i can see the host is well enrolled with freeipa,
sudo /usr/sbin/ipa-client-install
This program will set up IPA client.
Version 4.9.8
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'./etc/ipa/default.conf is correctly filled, I can connect with kinit,
adelton
commented
9 months ago I'm sorry, i realized it was because i didnt had checklib locally installed ... I was expecting it to be done from freeipa, (FYI freeipa is contenerized, but the enrolled client is a VM on Ubuntu Jammy). So i installed the checklibs locally and the error did not shown again, i was able to change the password, but it didnt check the dictionary. Although i used dictionary words in my pwd (theworld...), the password has been validated without mentioning the dictionary.
@lfrede You were able to change the password how exactly (what command(s))?
lfrede
commented
9 months ago I was just testing the first connection that force the user to change his password.
$ ssh testuser@anotherhost.domain.com
(testuser@anotherhost.domain.com) Password:
(testuser@anotherhost.domain.com) Password expired. Change your password now.
Current Password:
(testuser@anotherhost.domain.com) New password:
(testuser@anotherhost.domain.com) BAD PASSWORD: The password fails the dictionary check - error loading dictionary
New password:
$ ssh testuser@testhost.domain.com
(testuser@testhost.domain.com) Password:
(testuser@testhost.domain.com) Password expired. Change your password now.
Current Password:
(testuser@testhost.domain.com) New password: treehorse
(testuser@testhost.domain.com) Retype new password: treehorse
Welcome to Ubuntu Testhost being the host having the cracklib locally, Anotherhost being the host just having freeipa-client installed the same way without having the cracklibs locally.
adelton
commented
9 months ago I'm able within the freeipa server to change the password using kpasswd without having dictionary issues, Setting up the dictionary check : ipa pwpolicy-mod --dictcheck=True --minlife=0,
With that ipa pwpolicy-mod --dictcheck=True done, can you also confirm that a dictionary word is correctly rejected when doing kpasswd?
lfrede
commented
9 months ago #ipa pwpolicy-mod --dictcheck=True
ipa: ERROR: no modifications to be performed
#kpasswd usetest
Password for usetest@DOMAIN.COM:
Enter new password: treehorse
Enter it again: treehorse
Password changed.I didnt realize but indeed It seems the dictcheck doesnt work as my pwd should be rejected,
lfrede
commented
9 months ago Ah it worked if i put a single word like "traduction :
Password change rejected: New password was found in a dictionary of possible passwords and
therefore may be easily guessed. Please choose another password.I was expexting it to detect some words in it like with the example before (treehorse)
Edit: same with the ssh testuser@testhost
adelton
commented
9 months ago Edit: same with the ssh testuser@testhost
What do you mean exactly? That ssh now behaves as expected?
adelton
commented
9 months ago So you verified that kpasswd usetest when run on the IPA server (in the container) works as expected.
Can you now do the same test but run it on the IPA client?
lfrede
commented
9 months ago Ok thanks i didn't checked on the client, Indeed kpasswd work even if the client doesnt have the libcrack. However, the first ssh connection with a new user (or reseted pwd) require the client to have the libcrack locally,
So i just need to install libcrack everywhere, but it also mean the dictionary policy regarding the first ssh connection is handled by the client and not by freeipa,
Example disabling dictcheck
# Freeipa server
ipa pwpolicy-mod --dictcheck=False
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 0
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
Dictionary check: False
Grace login limit: -1
# Freeipa client with cracklib
$ ssh testuser@testhost
(testuser@testhost) Password:
(testuser@testhost) Password expired. Change your password now.
Current Password:
(testuser@testhost) New password:
(testuser@testhost) BAD PASSWORD: The password is shorter than 8 characters
New password:
(testuser@testhost) BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
New password: I also tested modifying the length policy password on the freeipa server just to be sure the password policies are working with ssh and indeed this policy worked successfully.
It may not be intended but i don't plan disabling the dictionary check, Thank you very much for your help,
adelton
commented
9 months ago So how exactly did you manage to install freeipa-client to that Ubuntu without libcrack2? I see
$ podman run --rm ubuntu:22.04 bash -c 'apt update && DEBIAN_FRONTEND=noninteractive apt install freeipa-client -y'
[...]
The following additional packages will be installed:
augeas-lenses bind9-dnsutils bind9-host bind9-libs bind9-utils bzip2
ca-certificates certmonger chrony cracklib-runtime curl dbus dirmngr dmsetup
dnsutils file freeipa-common gir1.2-glib-2.0 gnupg gnupg-l10n gnupg-utils
gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm ieee-data iproute2
keyutils krb5-config krb5-user ldap-utils libapparmor1 libargon2-1
libassuan0 libatm1 libaugeas0 libavahi-client3 libavahi-common-data
libavahi-common3 libbasicobjects0 libbpf0 libbrotli1 libbsd0 libc-ares2
libcap2-bin libcollection4 libcrack2 libcryptsetup12 libcups2 libcurl4
libdbus-1-3 libdeflate0 libdevmapper1.02.1 libdhash1 libedit2 libelf1
libexpat1 libfreetype6 libfribidi0 libgdbm-compat4 libgdbm6
libgirepository-1.0-1 libglib2.0-0 libglib2.0-data libgomp1 libgraphite2-3
libgssrpc4 libharfbuzz0b libicu70 libimagequant0 libini-config5 libip4tc2
libipa-hbac0 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 libjson-c5
libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libkmod2 libksba8 liblcms2-2
libldap-2.5-0 libldap-common libldb2 liblmdb0 liblua5.3-0 libmagic-mgc
libmagic1 libmaxminddb0 libmd0 libmnl0 libmpdec3 libnfsidmap1 libnghttp2-14
libnl-3-200 libnl-route-3-200 libnpth0 libnspr4 libnss-sss libnss3
libnss3-tools libopenjp2-7 libpam-cap libpam-pwquality libpam-sss
libpath-utils1 libperl5.34 libpng16-16 libpopt0 libpsl5 libpwquality-common
libpwquality1 libpython3-stdlib libpython3.10 libpython3.10-minimal
libpython3.10-stdlib libraqm0 libreadline8 libref-array1 librpm9 librpmio9
librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db
libsasl2-modules-gssapi-mit libsmbclient libsqlite3-0 libssh-4
libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtalloc2
libtdb1 libtevent0 libtiff5 libusb-1.0-0 libuv1 libwbclient0 libwebp7
libwebpdemux2 libwebpmux3 libxau6 libxcb1 libxdmcp6 libxml2 libxslt1.1
libxtables12 mailcap media-types mime-support netbase networkd-dispatcher
nss-plugin-pem oddjob oddjob-mkhomedir openssl perl perl-modules-5.34
pinentry-curses publicsuffix python-babel-localedata python3 python3-augeas
python3-babel python3-bs4 python3-certifi python3-cffi python3-cffi-backend
python3-chardet python3-cryptography python3-dbus python3-decorator
python3-distutils python3-dnspython python3-gi python3-gssapi
python3-html5lib python3-idna python3-ipaclient python3-ipalib
python3-jinja2 python3-ldap python3-ldb python3-lib2to3 python3-libipa-hbac
python3-lxml python3-markupsafe python3-minimal python3-netaddr
python3-netifaces python3-olefile python3-pil python3-pkg-resources
python3-ply python3-pyasn1 python3-pyasn1-modules python3-pycparser
python3-qrcode python3-requests python3-requests-toolbelt python3-setuptools
python3-six python3-soupsieve python3-sss python3-talloc python3-tz
python3-urllib3 python3-usb python3-webencodings python3-yubico python3.10
python3.10-minimal readline-common rpm-common samba-libs shared-mime-info
sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common
sssd-ldap sssd-proxy systemd tzdata ucf wamerican xdg-user-dirs xz-utils
Suggested packages:
augeas-doc bzip2-doc default-dbus-session-bus | dbus-session-bus
dbus-user-session libpam-systemd pinentry-gnome3 tor libpam-krb5 parcimonie
xloadimage scdaemon iproute2-doc krb5-k5tls augeas-tools cups-common
gdbm-l10n krb5-doc liblcms2-utils mmdb-bin libsasl2-modules-ldap
libsasl2-modules-otp libsasl2-modules-sql iw | wireless-tools perl-doc
libterm-readline-gnu-perl | libterm-readline-perl-perl make
libtap-harness-archive-perl pinentry-doc python3-doc python3-tk python3-venv
python3-dev python-cryptography-doc python3-cryptography-vectors
python-dbus-doc python3-sniffio python3-trio python3-genshi
python-jinja2-doc python-lxml-doc ipython3 python-netaddr-docs
python-pil-doc python-ply-doc cpp python3-openssl python3-socks
python-requests-doc python-setuptools-doc python3.10-venv python3.10-doc
binutils binfmt-support readline-doc adcli apparmor sssd-tools
systemd-container libfido2-1 libtss2-esys-3.0.2-0 libtss2-mu0 libtss2-rc0
policykit-1
The following NEW packages will be installed:
augeas-lenses bind9-dnsutils bind9-host bind9-libs bind9-utils bzip2
ca-certificates certmonger chrony cracklib-runtime curl dbus dirmngr dmsetup
dnsutils file freeipa-client freeipa-common gir1.2-glib-2.0 gnupg gnupg-l10n
gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm
ieee-data iproute2 keyutils krb5-config krb5-user ldap-utils libapparmor1
libargon2-1 libassuan0 libatm1 libaugeas0 libavahi-client3
libavahi-common-data libavahi-common3 libbasicobjects0 libbpf0 libbrotli1
libbsd0 libc-ares2 libcap2-bin libcollection4 libcrack2 libcryptsetup12
libcups2 libcurl4 libdbus-1-3 libdeflate0 libdevmapper1.02.1 libdhash1
libedit2 libelf1 libexpat1 libfreetype6 libfribidi0 libgdbm-compat4 libgdbm6
libgirepository-1.0-1 libglib2.0-0 libglib2.0-data libgomp1 libgraphite2-3
libgssrpc4 libharfbuzz0b libicu70 libimagequant0 libini-config5 libip4tc2
libipa-hbac0 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 libjson-c5
libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libkmod2 libksba8 liblcms2-2
libldap-2.5-0 libldap-common libldb2 liblmdb0 liblua5.3-0 libmagic-mgc
libmagic1 libmaxminddb0 libmd0 libmnl0 libmpdec3 libnfsidmap1 libnghttp2-14
libnl-3-200 libnl-route-3-200 libnpth0 libnspr4 libnss-sss libnss3
libnss3-tools libopenjp2-7 libpam-cap libpam-pwquality libpam-sss
libpath-utils1 libperl5.34 libpng16-16 libpopt0 libpsl5 libpwquality-common
libpwquality1 libpython3-stdlib libpython3.10 libpython3.10-minimal
libpython3.10-stdlib libraqm0 libreadline8 libref-array1 librpm9 librpmio9
librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db
libsasl2-modules-gssapi-mit libsmbclient libsqlite3-0 libssh-4
libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtalloc2
libtdb1 libtevent0 libtiff5 libusb-1.0-0 libuv1 libwbclient0 libwebp7
libwebpdemux2 libwebpmux3 libxau6 libxcb1 libxdmcp6 libxml2 libxslt1.1
libxtables12 mailcap media-types mime-support netbase networkd-dispatcher
nss-plugin-pem oddjob oddjob-mkhomedir openssl perl perl-modules-5.34
pinentry-curses publicsuffix python-babel-localedata python3 python3-augeas
python3-babel python3-bs4 python3-certifi python3-cffi python3-cffi-backend
python3-chardet python3-cryptography python3-dbus python3-decorator
python3-distutils python3-dnspython python3-gi python3-gssapi
python3-html5lib python3-idna python3-ipaclient python3-ipalib
python3-jinja2 python3-ldap python3-ldb python3-lib2to3 python3-libipa-hbac
python3-lxml python3-markupsafe python3-minimal python3-netaddr
python3-netifaces python3-olefile python3-pil python3-pkg-resources
python3-ply python3-pyasn1 python3-pyasn1-modules python3-pycparser
python3-qrcode python3-requests python3-requests-toolbelt python3-setuptools
python3-six python3-soupsieve python3-sss python3-talloc python3-tz
python3-urllib3 python3-usb python3-webencodings python3-yubico python3.10
python3.10-minimal readline-common rpm-common samba-libs shared-mime-info
sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common
sssd-ldap sssd-proxy systemd tzdata ucf wamerican xdg-user-dirs xz-utils
0 upgraded, 239 newly installed, 0 to remove and 6 not upgraded.sudo apt-get install freeipa-client
The following additional packages will be installed:
augeas-lenses bind9-utils certmonger freeipa-common gcc-12-base ieee-data krb5-config krb5-user libaugeas0
libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0 libc-ares2 libcollection4 libcrack2
libcups2 libdeflate0 libdhash1 libfribidi0 libgcc-s1 libgdbm-compat4 libgomp1 libgraphite2-3 libgssapi-krb5-2
libgssrpc4 libharfbuzz0b libimagequant0 libini-config5 libipa-hbac0 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8
libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libkrb5-3 libkrb5support0 liblcms2-2 libldb2 libnl-3-200
libnl-route-3-200 libnspr4 libnss-sss libnss3 libnss3-tools libopenjp2-7 libpam-pwquality libpam-sss
libpath-utils1 libperl5.34 libpwquality-common libpwquality1 libraqm0 libref-array1 librpm9 librpmio9
libsasl2-modules libsasl2-modules-gssapi-mit libsmbclient libsss-certmap0 libsss-idmap0 libsss-nss-idmap0
libsss-sudo libstdc++6 libtalloc2 libtdb1 libtevent0 libtiff5 libusb-1.0-0 libwbclient0 libwebp7 libwebpdemux2
libwebpmux3 libxau6 libxcb1 libxdmcp6 libxslt1.1 mailcap mime-support nss-plugin-pem oddjob oddjob-mkhomedir perl
perl-base perl-modules-5.34 python3-augeas python3-cffi python3-decorator python3-dnspython python3-gssapi
python3-ipaclient python3-ipalib python3-ldap python3-ldb python3-libipa-hbac python3-lxml python3-netaddr
python3-pil python3-ply python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-qrcode python3-sss
python3-talloc python3-usb python3-yubico samba-libs sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5
sssd-krb5-common sssd-ldap sssd-proxy
Suggested packages:
augeas-doc libpam-krb5 krb5-k5tls augeas-tools cups-common krb5-doc liblcms2-utils libsasl2-modules-ldap
libsasl2-modules-otp libsasl2-modules-sql perl-doc libterm-readline-gnu-perl | libterm-readline-perl-perl make
libtap-harness-archive-perl python3-dev python3-sniffio python3-trio python-lxml-doc ipython3 python-netaddr-docs
python-pil-doc python-ply-doc cpp adcli apparmor sssd-tools
Recommended packages:
chrony cracklib-runtime krb5-locales rpm-common bzip2 python3-requests-toolbelt python3-bs4 python3-html5lib
python3-olefile ldap-utils
The following NEW packages will be installed:
augeas-lenses bind9-utils certmonger freeipa-client freeipa-common ieee-data krb5-config krb5-user libaugeas0
libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0 libc-ares2 libcollection4 libcrack2
libcups2 libdeflate0 libdhash1 libfribidi0 libgdbm-compat4 libgomp1 libgraphite2-3 libgssrpc4 libharfbuzz0b
libimagequant0 libini-config5 libipa-hbac0 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 libkadm5clnt-mit12
libkadm5srv-mit12 libkdb5-10 liblcms2-2 libldb2 libnl-3-200 libnl-route-3-200 libnspr4 libnss-sss libnss3
libnss3-tools libopenjp2-7 libpam-pwquality libpam-sss libpath-utils1 libperl5.34 libpwquality-common
libpwquality1 libraqm0 libref-array1 librpm9 librpmio9 libsasl2-modules libsasl2-modules-gssapi-mit libsmbclient
libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtalloc2 libtdb1 libtevent0 libtiff5 libusb-1.0-0
libwbclient0 libwebp7 libwebpdemux2 libwebpmux3 libxau6 libxcb1 libxdmcp6 libxslt1.1 mailcap mime-support
nss-plugin-pem oddjob oddjob-mkhomedir perl perl-modules-5.34 python3-augeas python3-cffi python3-decorator
python3-dnspython python3-gssapi python3-ipaclient python3-ipalib python3-ldap python3-ldb python3-libipa-hbac
python3-lxml python3-netaddr python3-pil python3-ply python3-pyasn1 python3-pyasn1-modules python3-pycparser
python3-qrcode python3-sss python3-talloc python3-usb python3-yubico samba-libs sssd sssd-ad sssd-ad-common
sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy
cat /etc/apt/sources.list | grep -Ev "#|$^"
deb http://archive.ubuntu.com/ubuntu jammy main restricted
deb http://archive.ubuntu.com/ubuntu jammy-updates main restricted
deb http://archive.ubuntu.com/ubuntu jammy universe
deb http://archive.ubuntu.com/ubuntu jammy-updates universe
deb http://archive.ubuntu.com/ubuntu jammy multiverse
deb http://archive.ubuntu.com/ubuntu jammy-updates multiverse
deb http://archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu jammy-security main restricted
deb http://security.ubuntu.com/ubuntu jammy-security universe
deb http://security.ubuntu.com/ubuntu jammy-security multiverseIts shown in recommended packages and my ubuntu seems to not install them by default as it should be, It seems the image i was using had some modifications regarding apt...
adelton
commented
9 months ago For the record and note to self, the setup I used to test the behaviour is
# Dockerfile
FROM docker.io/library/ubuntu:22.04
RUN apt update -y && DEBIAN_FRONTEND=noninteractive apt install -y systemd freeipa-client openssh-server
RUN systemctl enable ssh$ podman build -t localhost/ubuntu:systemd .
$ podman pod create --add-host ipa.example.test:10.0.2.100 --add-host client.example.test:10.0.2.100 issue-580
$ podman run -d --pod=issue-580 --name freeipa-server-container --uts=private -h ipa.example.test -e PASSWORD=Secret123 quay.io/freeipa/freeipa-server:almalinux-9 -U -r EXAMPLE.TEST --no-ntp
$ podman run -d --name ubuntu-systemd --pod issue-580 --uts=private -h client.example.test localhost/ubuntu:systemd /usr/bin/systemd
$ podman logs -f freeipa-server-container
[ ... wait for FreeIPA server configured message, then Ctrl-C ...]
$ echo Secret123 | podman exec -i freeipa-server-container kinit admin
$ ( echo test ; echo test ) | podman exec -i freeipa-server-container ipa user-add --first=Robert --last=Chase bob --password
$ podman exec freeipa-server-container ipa pwpolicy-mod --dictcheck=True --minlife=0
$ podman exec ubuntu-systemd ipa-client-install --server=ipa.example.test --domain example.test -p admin -w Secret123 -U --no-ntp$ podman exec -ti ubuntu-systemd ssh bob@localhost
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:fb1NMUfvH0IiVTfuYchOyf2ehfknlZYgyH8bfw0b8K4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
(bob@localhost) Password: test
(bob@localhost) Password expired. Change your password now.
Current Password: test
(bob@localhost) New password: password
(bob@localhost) BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
New password:
Hi everyone,
I installed freeipa with docker for testing purpose, creating my first user/host/hbac i get the following error :
The dictionary is available on the freeipa container :
I installed freeipa this way, with a DNS :
And installed freeipa-client on the host (4.9.8-1),
Im trying to find where it is configured on the freeipa container but im still figuring it out, There is also nothing in the Password Policy that regard the dictionary, I dont see any related issues, could it be a bug of the freeipa version or did i miss something ?