密码策略 - 错误密码:密码刚刚轮换为旧密码

密码策略 - 错误密码:密码刚刚轮换为旧密码

通过以下方式设置密码过期后:

sudo chage -d 0 用户名

然后更改密码并以该用户身份登录。

当我输入“passwd”并尝试设置原始密码时,我收到消息;

“密码策略 - 错误密码:密码刚刚轮换为旧密码”

我查看了以下文件,但看不到可能导致此行为的政策行项目;

sudo nano /etc/pam.d/common-password


# here are the per-package modules (the "Primary" block)
password        requisite                       pam_pwquality.so retry=3
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yesc>
password        sufficient                      pam_sss.so use_authtok
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional        pam_gnome_keyring.so
password        optional        pam_ecryptfs.so
# end of pam-auth-update config

是什么导致了“密码错误:密码刚刚轮换为旧密码”错误消息?

干杯!

答案1

pam_pwquality 导致此问题,与错误消息完全匹配:

    case PWQ_ERROR_ROTATED:
            return _("The password is just rotated old one");

似乎没有通过pwquality.conf(5)配置文件禁用此功能的选项。即使pam_pwquality被禁用(可能是一个坏主意,攻击者喜欢密码不更改或更改不多),pam_unix也可能会因为密码本身的原因而拒绝密码。

答案2

这可能是obscure的参数pam_unix.so。从man 8 pam_unix

   obscure
      Enable some extra checks on password strength. These checks are
      based on the "obscure" checks in the original shadow package. The
      behavior is similar to the pam_cracklib module, but for
      non-dictionary-based checks. The following checks are implemented:

      [...descriptions of other checks cut out for brevity...]

      Rotated
          Is the new password a rotated version of the old password?
          (E.g., "billy" and "illyb")

pam_unix.so的主要目的是处理/etc/passwd/etc/shadow文件,但它还包括执行一些基本密码质量检查的功能。

pam_pwquality.so是另一个可能进行密码质量检查的模块。

答案3

我将“密码策略 - 错误密码:密码只是轮换旧密码”解释为您正在尝试使用以前使用过的密码。

不过,错误消息并不十分清楚。

相关内容