Bug 1292699
Summary: | enable having the old and new password being the same via difok=0 setting | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Wayne Pollock <pollock> |
Component: | libpwquality | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | tmraz |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-26 14:32:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Wayne Pollock
2015-12-18 06:26:50 UTC
I think I found part of the problem. These lines in the check.c: 663 if (oldpassword && strcmp(oldpassword, password) == 0) { 664 return PWQ_ERROR_SAME_PASSWORD; 665 } 666 also need to check that difok wasn't zero. Note the other part of this bug: that pam_pwquality.c <https://fedorahosted.org/libpwquality/browser/src/pam_pwquality.c> doesn't seem to check for difok= as an argument. No, pam_pwquality checks for difok= by means of pwquality_set_option(pwq, *argv). So it definitely is not ignored if set on the module command line. However as you correctly found it is not possible to allow for having the new password same as the old one if difok is set to 0. It is not true though that this is any different from pam_cracklib. The check from comment 1 is present in pam_cracklib too and will make it to error out in a similar way. There is no point in enabling such functionality. Also a future libpwquality release will enable difok=0 to mean switch off all the old password similarity checks except for the password being exactly the same which I think is much more useful. |