Bug 267201

Summary: pam_cracklib.so disregards changes to last char when calculating similarity
Product: Red Hat Enterprise Linux 4 Reporter: Jose Plans <jplans>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Jan Lieskovsky <jlieskov>
Severity: high Docs Contact:
Priority: high    
Version: 4.5CC: tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: RHSA-2007-0737 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-15 15:03:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
pam_cracklib-last_char.patch
none
patch fixing typo none

Description Jose Plans 2007-08-30 14:20:39 UTC 
Description of problem: 

If difok=2 and a password change is attempted with only changes to the first and
last char pam_cracklib will say the passwords are "too similar" wherea s the
change should be accepted.

How reproducible:

RHEL4 (any update, including 5)
pam-0.77-66.17 (any pam 0.77 rpm for RHEL4)

Include:
  passwd requisite /lib/security/$ISA/pam_cracklib.so debug retry=3 difok=3
in /etc/pam.d/system-auth

Steps to Reproduce:

use passwd to change a users password.

Actual results:

PASSWD    CHANGE RESULTS
======    ==============
q1w2e3r4  intial pssword
11q2e3r5  "too similar"
11a2e2r4  success

Expected results:

PASSWD    CHANGE RESULTS
======    ==============
q1w2e3r4  intial pssword
11q2e3r5  success
11a2e2r4  success

Additional info:

The fix for this went into PAM 0.78 from PAM bugzilla 1010142 

* http://sourceforge.net/tracker/index.php?func=detai
le&aid=1010142&group_id=6663&atid=106663

RHEL5 behaves properly as it contains this fix already in PAM 0.99.
Comment 1 Jose Plans 2007-08-30 14:20:40 UTC 
Created attachment 181141 [details]
pam_cracklib-last_char.patch
Comment 9 Jose Plans 2007-09-01 19:20:25 UTC 
Created attachment 184561 [details]
patch fixing typo

-    if ((j == 0) || (strlen(new) < i)) {
+    if ((j == 0) || (strlen(new) < j)) {
Comment 12 Jan Lieskovsky 2007-09-05 11:57:32 UTC 
Providing testing && QA information related to this one:

Was able to reproduce this issue && will be able to retest the whole
RHSA-2007:0737 advisory in case of need (to include this one) -> Moving
to assigned.
Comment 22 errata-xmlrpc 2007-11-15 15:03:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0737.html