Bug 1410450

Summary: pwscore fails on missing /usr/share/cracklib/pw_dict.pwd.gz
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: libpwqualityAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 25CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-05 14:28:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2017-01-05 14:12:00 UTC 
Description of problem:

In Fedora 25, libpwquality does not depend any more on cracklib-dicts. That package is not installed in a minimal environment such as mock or mkosi, and "rpm -e cracklib-dicts" even works in a reasonably fat install.

Version-Release number of selected component (if applicable):

1.3.0-6.fc25.x86_64

How reproducible:

On Fedora 25:

$ mock --init
$ mock --shell 'echo foobar123 | pwscore'
[...]
/usr/share/cracklib/pw_dict.pwd.gz: No such file or directory
Password quality check failed:
 The password fails the dictionary check - error loading dictionary

Actual results:

pwscore fails on Fedora 25 without cracklib-dicts. This e. g. breaks cockpit when trying to create a new user, without /usr/share/cracklib/pw_dict.pwd.gz the user creation never succeeds (see https://github.com/cockpit-project/cockpit/issues/5684).

This is not an issue in RHEL/centos 7: there cracklib-dicts is a dependency of libpwquality.

Expected results:

If the removal of the cracklib-dicts dependency of libpwquality was deliberate, then pwscore should gracefully fall back, i. e. just skip the dictionary check. Otherwise the dependency should be put back.
Comment 1 Tomas Mraz 2017-01-05 14:28:05 UTC 
No, the dependency is a weak one via Recommends so dnf will normally install it but you should be able to uninstall it if you do not need the dictionary check. And you can configure libpwquality to skip the dictionary check via setting dictcheck = 0 in /etc/security/pwquality.conf but we do not want that to be default.
Comment 2 Martin Pitt 2017-01-05 14:56:54 UTC 
A weak dependency is fine, but then it shouldn't fail hard if it isn't installed, but gracefully fall back. Or something should pull it into mock/mkosi and similarly small environments as well..
Comment 3 Tomas Mraz 2017-01-05 15:06:04 UTC 
Gracefully falling back would mean that incorrectly or inadvertently missing dictionary would get undetected. I do not want that.