Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Even when reject_username argument is not specified with pam_cracklib module, the password is being rejected for containing the user name.
Version-Release number of selected component (if applicable): pam-1.1.1-13.el6.x86_64
How reproducible: 100 %
Steps to Reproduce:
PAM configurations -
# cat /etc/pam.d/system-auth
#%PAM-1.0M-1.0
## This file is auto-generated.
## User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_tally2.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=0 lcredit=0 ocredit=0 ucredit=0 maxrepeat=0 difok=0
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
1. Create user "username".
2. Change the password for username. ( using root )
[root@localhost ~]# passwd username
Changing password for user username.
New password: >>>>>>>>>>>>>>> Password entered here is "password"
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
3. Try to change the password of username. ( by logging in as username )
[root@localhost ~]# su username
[username@localhost root]$ passwd
Changing password for user username.
Changing password for username.
(current) UNIX password:
New password: >>>>>>>>>>>>>>> Password entered here is "username"
BAD PASSWORD: it is based on your username
New password: >>>>>>>>>>>>>>> Password entered here is "username1"
BAD PASSWORD: it is based on your username
New password: >>>>>>>>>>>>>>> Password entered here is "username12"
BAD PASSWORD: it is based on your username
Password:
passwd: Have exhausted maximum number of retries for service
[username@localhost root]$
[username@localhost root]$ passwd
Changing password for user username.
Changing password for username.
(current) UNIX password:
New password: >>>>>>>>>>>>>>> Password entered here is "username123"
BAD PASSWORD: it is based on your username
New password: >>>>>>>>>>>>>>> Password entered here is "username1234"
Retype new password:
passwd: all authentication tokens updated successfully.
[username@localhost root]$
[username@localhost root]$ passwd
Changing password for user username.
Changing password for username.
(current) UNIX password:
New password: >>>>>>>>>>>>>>> Password entered here is "1username"
BAD PASSWORD: it is based on your username
New password: >>>>>>>>>>>>>>> Password entered here is "1username2"
Retype new password:
passwd: all authentication tokens updated successfully.
Actual results:
The passwords containing the username are rejected.
Expected results:
The passwords containing user name should be accepted.
Additional info:
Is there any documentation available as to which combinations of passwords will be accepted even when they contain the user name?
Comment 2RHEL Program Management
2013-10-30 13:01:00 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.
Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle
This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please re-open the BZ and request a re-evaluation of the issue, citing a clear business justification.