Bug 91444

Summary: pam_cracklib.so, does not support password requirements correctly
Product: [Retired] Red Hat Linux Reporter: Chris <tells>
Component: pamAssignee: Tomas Mraz <t8m>
Status: CLOSED CURRENTRELEASE QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: gmilner, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FC2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-21 15:03:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris 2003-05-22 17:18:57 UTC 
Description of problem:
At our company we require the password to be 8 characters, and contain three of 
the following (a lower case character, a upper case character, a digit, or a 
special character).  The only way I have been able to implement this on Red Hat 
Linux is to set the following line in /etc/pam.d/system-auth.

password    required      /lib/security/pam_cracklib.so retry=3 minlen=11 
lcredit=1 ucredit=1 dcredit=1 ocredit=1

This works somewhat, but users can still enter 11 lower case characters and it 
works.

I found some documentation that says -1 will require at least one, but that 
does not seem to work in Red Hat.
Here is the link to the documentation I found: 
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3

Another problem with pam_cracklib.so in Red Hat is the Red Hat utilities over 
write any changes that were manually entered.  So if someone runs authconfig 
after the above changes were entered, the default settings are put back and any 
changes are deleted.

Version-Release number of selected component (if applicable):
pam-0.75-46.7.3

How reproducible:
1. configure /etc/pam.d/system-auth
2. attempt to change a password with different combinations to see if the 
expected results happen
3. run authconfig, after running check the settings in /etc/pam.d/system-auth, 
they should now be removed
 
    
Actual results:
I can find no configuration were I can setup the min number of characters is 8 
and require the user to enter special characters.  authconfig always removes 
any changes.

Expected results:
I think authconfig needs to either contain a way to set these settings, or it 
needs to not erase changes which have been entered to /etc/pam.d/system-auth.  
I would also like some kind of way to setup password requirements that users 
cannot get around by entering a large number of characters.

Additional info:
Comment 1 Virtual Janitor 2003-09-04 21:21:22 UTC 
I also have found this same problem in RedHat 6.2-9.0 and Mandrake 8.1-9.1.  On
each of these I tried the example given for /etc/pam.d/system-auth in the URL
above for 8 characters minimum, with at least 1 upper case, 1 digit, and 1 other
character:
"password  required pam_cracklib.so difok=3 dcredit=-1 ucredit=-1 ocredit=-1
lcredit=0 minlen=8"