Bug 1387702

Summary: passwd hard dependency on cracklib-dicts
Product: Red Hat Enterprise Linux 7 Reporter: Frantisek Kluknavsky <fkluknav>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: mattdm, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-22 13:21:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Frantisek Kluknavsky 2016-10-21 15:21:18 UTC 
Description of problem:
passwd rpm depends on pam, which in turn depends on cracklib and cracklib-dicts. I do not want to dispute the need for strong passwords but sometimes this measure is not necessary. For example, containers are often without any passwords - regular users are not supposed to ever log in. Cracklib-dicts take a lot of space in container images. It would be great to have a way to install a minimal system without cracklib-dicts.
Comment 2 Matthew Miller 2016-10-31 15:04:08 UTC 
See also bug #865521 ("rfe: smaller cracklibs-dict for cloud images")
Comment 3 Miloslav Trmač 2016-10-31 17:53:33 UTC 
passwd links to libpam, so it will always depend on PAM. Whether pam, libpwquality, or whatever puts pam_pwquality into default PAM configs should depend on cracklib-dicts is up to whatever owns the default configuration.

(I could imagine a RPM packaging where the user can choose between a PAM configuration which allows password login and requires cracklib-dicts, and a configuration where password login is universally prohibited and cracklib-dicts is unnecessary.

But, honestly, my first instinct is to just close as WONTFIX; one of the supposed benefits of Docker images is inheritance.  Sure, by naive accounting it adds 9M per a Docker image, but really that is only 9M per a Fedora base image shared across a big set of Docker images. That, more or less one cracklib-dicts instance per a major OS version should not hurt AT ALL.)
Comment 4 Tomas Mraz 2017-09-22 13:21:40 UTC 
We might reconsider this for RHEL-8 and there are already some changes in this regard in Fedora. Changes of this kind are not elligible for RHEL-7.