Bug 117401 - using minlen=N does not seems to work with pam_cracklib
using minlen=N does not seems to work with pam_cracklib
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: pam (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-03 12:04 EST by Pierre Amadio
Modified: 2015-01-07 19:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-21 10:17:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pierre Amadio 2004-03-03 12:04:52 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Gecko/20031007 Firebird/0.7

Description of problem:
I try without success to have cracklib force users to have a password
longer than 8 caracter.

/etc/pam.d/system-auth 

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
minlen=8 debug
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


However, user are still allowed to change their password to a shorter
strings.

Note that if i set minlen=2 , i still have the 6 caracter lenght
limitation active too.

I m using pam-0.75-46.7.3




                                                                     
                                             


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.in /etc/pam.d/system-auth add minlen=8 (or whatever integer you
prefer not equal to 6)
2. log in as a user, try to change the password with passwd . Try to
use a password too short.

    

Actual Results:  password get changed

Expected Results:  password too short error message

Additional info:
Comment 1 Pancrazio `ezio' de Mauro 2004-06-24 06:54:57 EDT
minlen alone is not suffient, you also have to set the following
parameters:

        dcredit=N
        ucredit=N
        lcredit=N
        ocredit=N  Weight, digits, upper, lower, other characters with
                   count N. Use these values to compute the
                   'unsimplicity' of the password.

Looking at the source code, it seems that the actual minimum length is
computed as minlen - dcredit - ucredit - lcredit - ocredit, basically
it is not a minimum length but rather a "minimum semplicity".

Setting minlen to 8 for example, and the "credit" parameters to 0
should yield to the desired result.

By playing with minlen and the credit parameters, you can allow for
constraints like "at least one digit", "at least one capital letter"
and so on.

I hope this helps.



Note You need to log in before you can comment on or make changes to this bug.