Bug 2207479

Summary: misleading error message "Password generation failed - required entropy too low for settings"
Product: Red Hat Enterprise Linux 9 Reporter: Ding-Yi Chen <dchen>
Component: libpwqualityAssignee: Dmitry Belyavskiy <dbelyavs>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1Keywords: Translation, Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ding-Yi Chen 2023-05-16 05:11:15 UTC 
Description of problem:

The error message "Password generation failed - required entropy too low for settings" is misleading.

The actual behavior is, it generates password up-to 3 times. If none of them meet the criteria specified in pwquality.conf, it failed with above message.

With above error message, system administrators will try to fiddle with entropy, but no avail.

How about change error message to:

Password generation failed - tried 3 times to meet the criteria in pwquality.conf


Version-Release number of selected component (if applicable):

1.4.4-8

How reproducible:

Whenever pwmake failed to generate password

Steps to Reproduce:
1. Use the following pwquality.conf

  minlen = 15
  ucredit = -1
  dcredit = -1
  maxclassrepeat = 4
  minclass = 4
  maxrepeat = 3
  lcredit = -1
  difok = 8
  ocredit = -1


2. Run pwmake in loop, like

 for ((i=0;i<30;i++)); do pwmake 256  2>&1 >/dev/null  ;done
 

Actual results:

Error: Password generation failed - required entropy too low for settings


Expected results:

Error: Password generation failed - tried 3 times to meet the criteria in pwquality.conf


Additional info:

For Systems that conform STIG V-230360 [1], pwmake cannot always generate passwords that fit the specification in pwquality.conf

1. https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2020-11-25/finding/V-230360