setting password restriction policy

12 posts / 0 new
Topic locked
Last post
#1 Tue, 02/24/2009 - 11:43
pmasse

setting password restriction policy

I have setup a password restriction policy with a minimum of 8 characters, no username in password and no dictionary words. However, when changing my password to something that breaks these rules in usermin, shouldn't it complain and not allow this?

Am I missing something in how to do this?

Usermin --> Users and Groups --> Module Config --> Password restrations

Tue, 02/24/2009 - 12:15
pmasse

While searching for help on this topic in webmin, I found 'Password Change Date' which is supposed to be in users and groups. However I can't seem to find this option.

Is this something that needs to be enabled somewhere?

Tue, 02/24/2009 - 20:29 (Reply to #2)
Joe
Joe's picture

This is a Usermin bug .. it isn't updating the configuration file that contains the user's IMAP password. I will fix this in the next release..

--

Check out the forum guidelines!

Tue, 02/24/2009 - 12:48
pmasse

Update.

I'm able to force users to change their passwords on the next login to usermin. Still not sure if password policy is being enforced here or not. I have noticed that upon changing their password in usermin, they still need to change their password for their email.

What would really be nice at this point would be to have the initial password change of usermin change all modules for this user.

Is this possible via some script or an option within usermin?

Thanks in advance.

Pete

Tue, 02/24/2009 - 14:32 (Reply to #4)
Joe
Joe's picture

<div class='quote'>I have noticed that upon changing their password in usermin, they still need to change their password for their email.</div>

That's impossible. ;-)

Usermin, by default, uses system users--changing the password for the user really changes the users password. There is no such thing as a &quot;Usermin password&quot;; it is the system user password.

Likewise, mail on a Virtualmin system installed using install.sh, uses system users for logins. Changing the password in Usermin changes the system password, and thus it'd be impossible to change the password in Usermin without changing it for mail users.

So, what about this description doesn't apply to your installation? Did you install using install.sh? Are you using system users for Usermin and mail, or have you setup a non-standard database for mail users (without configuring Usermin to do the same thing, or configuring PAM to work with your alternate database)?

--

Check out the forum guidelines!

Tue, 02/24/2009 - 16:49
pmasse

This discribes my system. I did use install.sh on a clean install of (supported) Linux. The users are all system users in /etc/passwd.

I'm using Postfix + Dovecot with Dovecot Authentication (rather than cyrus). No non-standard authentication here, just out of the box.

After the user is told their password expires and they change it and then log into Usermin, rather than showing the email, the following error pops up in red:

An error occurred listing mail in this folder : Failed to login to POP3 server : Authentication failed.

Then by selecting the &quot;Change Password&quot; option on the left tool bar and changing the password again, all is well.

So it works like it's supposed to when resetting the password from within Usermin, just not when the prompt comes up that tell the user their password has expired and to change it, does it not change everything. Does that mechanism also use &quot;system users--changing the password for the user&quot;?

Tue, 02/24/2009 - 17:24 (Reply to #6)
andreychek

Howdy,

So just to make sure I understand what you're saying -- when the user is told their password expired, and they first change it -- is that initial change being done in Usermin?

And what you're saying, then, is that another change in Usermin needs to be made in order to actually be able to read email?
-Eric

Tue, 02/24/2009 - 19:17 (Reply to #7)
Joe
Joe's picture

Oh! I get it now--it's actually Usermin's stored POP3/IMAP client password that isn't synced up. This would be bug-like. It comes from the fact that Read Mail is being used as an IMAP mail client, rather than accessing things directly--so, it <i>could</i> be contacting a completely different server on behalf of the user. It just happens that in this case it isn't.

Since that's the case, and this is the way we setup systems, by default...it should be smarter. I'll ask Jamie to chime in on this thread with regards to whether that's possible and reasonable for the next release.

--

Check out the forum guidelines!

Tue, 02/24/2009 - 19:27 (Reply to #8)
pmasse

With that in mind Joe, can I feel confident that it's nothing I have configured wrong? Is there anything to change or just roll with it until a later release?

Thanks for your help! :)

Thu, 02/26/2009 - 15:01 (Reply to #9)
pmasse

Incidentally, for those creating user accounts manually and try to set PASS_MIN_LEN in /etc/login.defs, This parameter does not work. It is superseded by the PAM module &quot;pam_cracklib&quot;. I'm not sure how virtual min handles this.

Tue, 05/25/2010 - 16:14 (Reply to #10)
pmasse

Joe,

I wanted to check back and see if anything had been updated on Syncin the Usermin and POP3/IMAP password.

Tue, 02/24/2009 - 19:18
pmasse

Correct andreychek,

They go to mail.myhost.com which rewrites to https://mail.myhost.com:20000 and try and log in. It pops up and says &quot;your password has expired&quot;, has them enter their old password, then a new password twice. After that it congratulates them for changing their password and tells them they can now log in using the new password. That works, but once logged in to usermin, a message says mail can't be displayed because it can't authenticate with the pop server.

I would make sense that it can't talk to the pop server because the passwords don't match.

Then I do the rest of what you said.

Sorry for being redundant, but I want to make sure I'm clear.

Pete

Topic locked