Description of problem:
Even when reject_username argument is not specified with pam_cracklib module, the password is being rejected for containing the user name.


Version-Release number of selected component (if applicable): pam-1.1.1-13.el6.x86_64


How reproducible: 100 %


Steps to Reproduce:

PAM configurations -
# cat /etc/pam.d/system-auth
#%PAM-1.0M-1.0
## This file is auto-generated.
## User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=0 lcredit=0 ocredit=0 ucredit=0 maxrepeat=0 difok=0
password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

1. Create user "username".
2. Change the password for username. ( using root )
[root@localhost ~]# passwd username
Changing password for user username.
New password:  				>>>>>>>>>>>>>>> Password entered here is "password"
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

3. Try to change the password of username. ( by logging in as username )

[root@localhost ~]# su username
[username@localhost root]$ passwd 
Changing password for user username.
Changing password for username.
(current) UNIX password: 
New password: 				>>>>>>>>>>>>>>> Password entered here is "username"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "username1"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "username12"
BAD PASSWORD: it is based on your username
Password: 
passwd: Have exhausted maximum number of retries for service

[username@localhost root]$ 
[username@localhost root]$ passwd 
Changing password for user username.
Changing password for username.
(current) UNIX password: 
New password: 				>>>>>>>>>>>>>>> Password entered here is "username123"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "username1234"
Retype new password: 
passwd: all authentication tokens updated successfully.
[username@localhost root]$ 

[username@localhost root]$ passwd 
Changing password for user username.
Changing password for username.
(current) UNIX password: 
New password: 				>>>>>>>>>>>>>>> Password entered here is "1username"
BAD PASSWORD: it is based on your username
New password: 				>>>>>>>>>>>>>>> Password entered here is "1username2"
Retype new password: 
passwd: all authentication tokens updated successfully.


Actual results:
The passwords containing the username are rejected.

Expected results:
The passwords containing user name should be accepted.

Additional info:
Is there any documentation available as to which combinations of passwords will be accepted even when they contain the user name?