Bug 117401 - using minlen=N does not seems to work with pam_cracklib
Summary: using minlen=N does not seems to work with pam_cracklib
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: pam
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-03 17:04 UTC by Pierre Amadio
Modified: 2015-01-08 00:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-09-21 14:17:25 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Pierre Amadio 2004-03-03 17:04:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7

Description of problem:
I try without success to have cracklib force users to have a password
longer than 8 caracter.

/etc/pam.d/system-auth 

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
minlen=8 debug
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


However, user are still allowed to change their password to a shorter
strings.

Note that if i set minlen=2 , i still have the 6 caracter lenght
limitation active too.

I m using pam-0.75-46.7.3




                                                                     
                                             


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.in /etc/pam.d/system-auth add minlen=8 (or whatever integer you
prefer not equal to 6)
2. log in as a user, try to change the password with passwd . Try to
use a password too short.

    

Actual Results:  password get changed

Expected Results:  password too short error message

Additional info:

Comment 1 Pancrazio `ezio' de Mauro 2004-06-24 10:54:57 UTC
minlen alone is not suffient, you also have to set the following
parameters:

        dcredit=N
        ucredit=N
        lcredit=N
        ocredit=N  Weight, digits, upper, lower, other characters with
                   count N. Use these values to compute the
                   'unsimplicity' of the password.

Looking at the source code, it seems that the actual minimum length is
computed as minlen - dcredit - ucredit - lcredit - ocredit, basically
it is not a minimum length but rather a "minimum semplicity".

Setting minlen to 8 for example, and the "credit" parameters to 0
should yield to the desired result.

By playing with minlen and the credit parameters, you can allow for
constraints like "at least one digit", "at least one capital letter"
and so on.

I hope this helps.





Note You need to log in before you can comment on or make changes to this bug.