Bug 2158891

Summary: Various password set/change operations that run through pwquality fail without cracklib dicts, which are no longer required or recommended (only suggested)
Product: [Fedora] Fedora Reporter: Jonathan Billings <jbilling>
Component: libpwqualityAssignee: Adam Williamson <awilliam>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: agk, amulhern, awilliam, crypto-team, gmazyland, j, okozina, paul.wouters, tm, travier
Target Milestone: ---Flags: fedora-admin-xmlrpc: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: openqa
Fixed In Version: libpwquality-1.4.5-3.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-06 01:37:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Billings 2023-01-06 19:58:59 UTC 
Description of problem:

When changing the passphrase for a LUKS drive, I am getting this error:

# cryptsetup luksChangeKey /dev/vda3
Enter passphrase to be changed: 
Enter new passphrase: 
Verify passphrase: 
/usr/share/cracklib/pw_dict.pwd.gz: No such file or directory
Password quality check failed:
 The password fails the dictionary check - error loading dictionary

I looked and no package owns /usr/share/cracklib/pw_dict.pwd.gz, but the "cracklib-dicts" package owns /usr/share/cracklib/pw_dict.pwd, and if I install that package, cryptsetup luksChangeKey now works.

Version-Release number of selected component (if applicable):
cryptsetup-2.5.0-1.fc37.x86_64
cracklib-dicts-2.9.7-30.fc37.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Set up LUKS volume
2. Attempt to change the key without having cracklib-dict installed
3. See error above

Additional info:
I swear this worked on January 3rd after a fresh Fedora 37 install, I'm not sure what dependencies changed to not automatically bring in cracklib-dicts, but it isn't installed anymore on my minimal install.  It appears that cracklib is installed, just not cracklib-dicts.
Comment 1 Milan Broz 2023-01-06 20:13:10 UTC 
This should be dependence of libpwquality which link to, perhaps bug 2006063 ?

(You can always workaround it by adding --force-password to disable password quality check.)

Anyway, reassigning to libpwquality, as I have not idea what changed there.
Comment 2 Jonathan Billings 2023-01-06 20:48:17 UTC 
While it is nice that FCOS doesn't need password quality checking in passwd and cryptsetup, it would be nice if it was pulled in for Desktop OSs where people might actually expect password quality checks?
Comment 3 Justin Koh 2023-01-09 12:29:19 UTC 
This also affects existing installs. A user doing a `dnf autoremove` after updating to libpwquality-1.4.5-1 will remove cracklib-dicts.

cracklib-dicts was changed from a Requires to Suggests in libpwquality-1.4.5-1 [1]. I think it should've been a Recommends, according to Fedora policy on weak dependencies [2].

> The requirements of the main use cases of a package should not merely be referenced by hints but included by strong or weak dependencies.


[1]: https://src.fedoraproject.org/rpms/libpwquality/c/303154338d6d3650bc343c4852009be8a1fdc199

[2]: https://docs.fedoraproject.org/en-US/packaging-guidelines/WeakDependencies/#_hints
Comment 4 Tomáš Mráz 2023-01-09 13:50:41 UTC 
Yeah, using Suggests and not Recommends is wrong.

It should be possible to install libpwquality without dicts but by default the dicts should be installed.
Comment 5 Timothée Ravier 2023-01-17 17:22:11 UTC 
This is likely a fallout from https://bugzilla.redhat.com/show_bug.cgi?id=2006063.

Note that for Fedora CoreOS we don't pull in recommends by default so moving this from a suggest to a recommend should fix this issue.
Comment 6 Timothée Ravier 2023-01-17 17:23:00 UTC 
Recommends are enabled in Silverblue & Kinoite so it will fix it there too: https://github.com/fedora-silverblue/issue-tracker/issues/400
Comment 7 Adam Williamson 2023-02-01 22:50:42 UTC 
This can also breaks logging in as a user with no password in GDM (whereupon GDM asks the user to create a new password; if cracklib-dicts is missing, this fails as the dictionary can't be loaded). This won't affect systems installed from the Workstation live because anaconda-core requires cracklib-dicts and live images have anaconda-core on them, but it *does* affect systems installed from a non-live installer that include the workstation-product-environment group. This means it breaks an openQA test when run on an upgraded system, because the base image from which the upgrade test starts is built with virt-install and a kickstart.

Since Paul hasn't responded to this and it's been around for three weeks, I'm going to go ahead and use provenpackager powers to change the Suggests to a Recommends.
Comment 8 Fedora Update System 2023-02-01 23:09:11 UTC 
FEDORA-2023-4021d4c044 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4021d4c044
Comment 9 Fedora Update System 2023-02-02 02:16:36 UTC 
FEDORA-2023-4021d4c044 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4021d4c044`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4021d4c044

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2023-02-06 01:37:41 UTC 
FEDORA-2023-4021d4c044 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 mulhern 2023-02-27 23:37:40 UTC 
it looks like, due to an interaction with a dnf bug that sometimes doesn't install all weak dependencies, this is still breaking some things, specifically our CI that uses Fedora 37 containers and runs clevis, see: https://github.com/stratis-storage/project/issues/581 .