Bug 1323175

Summary: optional cracklib-dicts
Product: [Fedora] Fedora Reporter: Harald Hoyer <harald>
Component: libpwqualityAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: ppisar, tmraz, yselkowi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libpwquality-1.3.0-5.fc25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-11 15:04:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1323209    

Description Harald Hoyer 2016-04-01 12:43:28 UTC
Please try to make cracklib-dicts optional.

We are trying to minimize the base container image size and cracklib-dicts is huge (9.5MB).

An option would be to make it a "Recommends".

Comment 1 Yaakov Selkowitz 2016-04-06 15:34:15 UTC
See https://bugzilla.redhat.com/show_bug.cgi?id=1323172#c4

Comment 2 Petr Pisar 2016-04-20 13:09:15 UTC
How is the dictionary optional? With this default PAM configuration:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

an user cannot change his password because it complains on missing dictionary: 

$ passwd
Changing password for user test.
Changing password for test.
Current password:
New password:
/usr/share/cracklib/pw_dict.pwd.gz: No such file or directory
BAD PASSWORD: The password fails the dictionary check - error loading dictionary
New password:

Similar issue is with perl-Crypt-Cracklib that also fails with default configuration. I wanted to fix perl-Crypt-Crackli by hard-requiring the cracklib-dicts. But since pam_pwquality.so suffers from the same issue, I must ask whether the dictionary is really option.

Comment 3 Tomas Mraz 2016-04-20 13:56:47 UTC
libpwquality and pam_pwquality allows you to switch off the dictionary check completely.

It's just an option in pwquality.conf, use 'dictcheck=0'

It is not optional in default configuration however I cannot see how to implement this differently.