Bug 1024727

Summary: pam_cracklib - password check for user name is active even in absence of reject_username argument
Product: Red Hat Enterprise Linux 6 Reporter: Athar <athar.lh>
Component: cracklibAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4CC: nalin
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-22 13:14:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Athar 2013-10-30 10:31:50 UTC 
Description of problem:
Even when reject_username argument is not specified with pam_cracklib module, the password is being rejected for containing the user name.


Version-Release number of selected component (if applicable): pam-1.1.1-13.el6.x86_64


How reproducible: 100 %


Steps to Reproduce:

PAM configurations -
# cat /etc/pam.d/system-auth
#%PAM-1.0M-1.0
## This file is auto-generated.
## User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=0 lcredit=0 ocredit=0 ucredit=0 maxrepeat=0 difok=0
password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

1. Create user "username".
2. Change the password for username. ( using root )
[root@localhost ~]# passwd username
Changing password for user username.
New password:  				>>>>>>>>>>>>>>> Password entered here is "password"
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

3. Try to change the password of username. ( by logging in as username )

[root@localhost ~]# su username
[username@localhost root]$ passwd 
Changing password for user username.
Changing password for username.
(current) UNIX password: 
New password: 				>>>>>>>>>>>>>>> Password entered here is "username"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "username1"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "username12"
BAD PASSWORD: it is based on your username
Password: 
passwd: Have exhausted maximum number of retries for service

[username@localhost root]$ 
[username@localhost root]$ passwd 
Changing password for user username.
Changing password for username.
(current) UNIX password: 
New password: 				>>>>>>>>>>>>>>> Password entered here is "username123"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "username1234"
Retype new password: 
passwd: all authentication tokens updated successfully.
[username@localhost root]$ 

[username@localhost root]$ passwd 
Changing password for user username.
Changing password for username.
(current) UNIX password: 
New password: 				>>>>>>>>>>>>>>> Password entered here is "1username"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "1username2"
Retype new password: 
passwd: all authentication tokens updated successfully.


Actual results:
The passwords containing the username are rejected.

Expected results:
The passwords containing user name should be accepted.

Additional info:
Is there any documentation available as to which combinations of passwords will be accepted even when they contain the user name?
Comment 2 RHEL Program Management 2013-10-30 13:01:00 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 3 Tomas Mraz 2017-09-22 13:14:47 UTC 
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please re-open the BZ and request a re-evaluation of the issue, citing a clear business justification.