通过以下方式设置密码过期后:
sudo chage -d 0 用户名
然后更改密码并以该用户身份登录。
当我输入“passwd”并尝试设置原始密码时,我收到消息;
“密码策略 - 错误密码:密码刚刚轮换为旧密码”
我查看了以下文件,但看不到可能导致此行为的政策行项目;
sudo nano /etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yesc>
password sufficient pam_sss.so use_authtok
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
# end of pam-auth-update config
是什么导致了“密码错误:密码刚刚轮换为旧密码”错误消息?
干杯!
答案1
pam_pwquality 导致此问题,与错误消息完全匹配:
case PWQ_ERROR_ROTATED:
return _("The password is just rotated old one");
似乎没有通过pwquality.conf(5)
配置文件禁用此功能的选项。即使pam_pwquality
被禁用(可能是一个坏主意,攻击者喜欢密码不更改或更改不多),pam_unix
也可能会因为密码本身的原因而拒绝密码。
答案2
这可能是obscure
的参数pam_unix.so
。从man 8 pam_unix
:
obscure Enable some extra checks on password strength. These checks are based on the "obscure" checks in the original shadow package. The behavior is similar to the pam_cracklib module, but for non-dictionary-based checks. The following checks are implemented: [...descriptions of other checks cut out for brevity...] Rotated Is the new password a rotated version of the old password? (E.g., "billy" and "illyb")
pam_unix.so
的主要目的是处理/etc/passwd
和/etc/shadow
文件,但它还包括执行一些基本密码质量检查的功能。
这pam_pwquality.so
是另一个可能进行密码质量检查的模块。
答案3
我将“密码策略 - 错误密码:密码只是轮换旧密码”解释为您正在尝试使用以前使用过的密码。
不过,错误消息并不十分清楚。