Bug 963769
Summary: | cracklib-check allows dictionary based passwords with simple modifications | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Hubert Kario <hkario> | ||||||
Component: | cracklib | Assignee: | Tomas Mraz <tmraz> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 6.4 | Keywords: | FutureFeature | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Enhancement | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 966524 (view as bug list) | Environment: | |||||||
Last Closed: | 2017-09-22 13:15:43 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 966524 | ||||||||
Attachments: |
|
Description
Hubert Kario
2013-05-16 14:06:00 UTC
Created attachment 749442 [details]
partial fix: add roll-left and roll-right constructors
Created attachment 749443 [details]
partial fix: add more l33t-ish substitutions
These aren't integrated properly, but doing it in a way that wouldn't explode the destructors list would require redoing a few layers of logic.
Regarding patch in Comment #2: I don't know how the code later searches if the word is in wordlist or not, but I know that pam_cracklib does check if a password doesn't contain words as a substring of "passwordpassword". This finds not only repetitions but such simple barrel shifts like in the "ancingd" case. Regarding patch in Comment #3: I'm not sure if I read the patch correctly, but the a -> . substitution was more to show that obfuscating a single character is enough to render cracklib useless, not an actual "l33t speak" substitution. And second "I'm not sure if I read the patch correctly" is the 8 -> B substitution: doesn't cracklib do a case insensitive search over its wordlist? (In reply to Hubert Kario from comment #4) > Regarding patch in Comment #2: I don't know how the code later searches if > the word is in wordlist or not, but I know that pam_cracklib does check if a > password doesn't contain words as a substring of "passwordpassword". This > finds not only repetitions but such simple barrel shifts like in the > "ancingd" case. The pam_cracklib module (and the cracklib python module, and apparently everything else that uses cracklib) implements additional logic beyond what cracklib does, so cracklib-check doesn't benefit from those efforts. > Regarding patch in Comment #3: I'm not sure if I read the patch correctly, > but the a -> . substitution was more to show that obfuscating a single > character is enough to render cracklib useless, not an actual "l33t speak" > substitution. > And second "I'm not sure if I read the patch correctly" is the 8 -> B > substitution: doesn't cracklib do a case insensitive search over its > wordlist? So it does. That rule should be discarded from the patch, then. As for the larger point, you're right, cracklib's doesn't catch everything. I don't think this is RHEL-6 material. This should be changed in Fedora and RHEL-7 if at all. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux. Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please re-open the BZ and request a re-evaluation of the issue, citing a clear business justification. |