Bug 484303
| Summary: | firstboot splashes weak password in plaintext when warning of weak passwords. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Nalley <david> |
| Component: | system-config-users | Assignee: | Nils Philippsen <nphilipp> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | bressers, dqarras, emasaka, jhaar, nphilipp, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-02-12 11:43:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Nalley
2009-02-05 22:58:21 UTC
Quick update after talking with wwoods in #fedora-qa - this is system-config-users which is called by firstboot, so I am changing the component. Also the code appears to be in: /usr/share/system-config-users/userGroupCheck.py Line 154 has: "The chosen password is too weak: %s. Do you want to use it anyway?" The %s should be stripped out in my opinion. (otherwise why obfuscate password entry if displaying the password is acceptable?) (In reply to comment #1) > Also the code appears to be in: > /usr/share/system-config-users/userGroupCheck.py > > Line 154 has: > "The chosen password is too weak: %s. Do you want to use it anyway?" > > The %s should be stripped out in my opinion. That code seems to be printing error messages from the cracklib. Trying this on already installed F10 messages, I see errors like: The chosen password is too weak: it does not contain enough DIFFERENT characters. Do you want to use it anyway? or The chosen password is too weak: it is too simplistic/systematic. Do you want to use it anyway? with no plain text password. Do you have exact error messages you got somewhere handy? Yes the error message is: The chose password is too weak: supersecretpassword Do you want to use it anyway? Where plaintext password is the password entered for the user. Probably related to cracklib python bindings overhaul: http://koji.fedoraproject.org/koji/buildinfo?buildID=67931 * Tue Oct 28 2008 Nalin Dahyabhai <nalin-at-redhat.com> - 2.8.13-1 - update to 2.8.13, which overhauls the python bindings and revises FascistCheck()'s behavior: 2.8.12 success: returns None, fail: returns error text, other: exceptions 2.8.13 success: returns candidate, fail: throws ValueError, other: exceptions Looking at the recent changes to the file in git, Nils is likely already familiar with the changes already... http://git.fedorahosted.org/git/system-config-users.git?p=system-config-users.git;a=commitdiff;h=f69dd9cf9d http://git.fedorahosted.org/git/system-config-users.git?p=system-config-users.git;a=commitdiff;h=523d9f9c2c *** Bug 485175 has been marked as a duplicate of this bug. *** (In reply to comment #4) > Probably related to cracklib python bindings overhaul: > > http://koji.fedoraproject.org/koji/buildinfo?buildID=67931 > > * Tue Oct 28 2008 Nalin Dahyabhai <nalin-at-redhat.com> - 2.8.13-1 > - update to 2.8.13, which overhauls the python bindings and revises > FascistCheck()'s behavior: > 2.8.12 success: returns None, fail: returns error text, other: exceptions > 2.8.13 success: returns candidate, fail: throws ValueError, other: exceptions Not that I'm terribly happy with such a drastic change in behaviour between two minor versions... Anyway, fixed upstream: 5087535127ed4baaaa376f3c93d97ccac6014771 fixed in system-config-users-1.2.85-1.fc11 *** Bug 486003 has been marked as a duplicate of this bug. *** *** Bug 486053 has been marked as a duplicate of this bug. *** |